[Nfdump-discuss] Double counting with pfsense and softflowd

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

All,

I'm using pfSense 2.2.4 with softflowd 1.2.1 exporting Netflow v5 packets to nfsen with nfdump: Version: NSEL-NEL1.6.11 and I'm seeing double counting of the bps.

If I generate a 10Mbps flow through the pfSense firewall with iperf, it's being displayed as 20Mbps.  The pfSense counters show it correctly as 10Mbps.

It looks like softflowd is sending the records twice, as I see the following in the nfcapd files:

# nfdump -r nfcapd.201511201555
Date first seen          Event  XEvent Proto      Src IP Addr:Port          Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte Out Byte
2015-11-20 15:50:22.588 IGNORE  Ignore UDP      172.22.37.250:55138 ->       128.18.1.1:5001           0.0.0.0:0     ->          0.0.0.0:0      382.7 M        0
2015-11-20 15:50:29.099 IGNORE  Ignore UDP      172.22.37.250:55138 ->       128.18.1.1:5001           0.0.0.0:0     ->          0.0.0.0:0      386.5 M        0

Has anyone else seen this?

Is there a way to get nfsen/nfdump to ignore the duplicates (if that is what they are)?

Thks,
GB

--
Garrett Burke
VP Engineering
Egenera Inc. | Converge. Unify. Simplify.
00-353-1-9022868 (office)

http://www.egenera.com
http://blog.egenera.com
http://www.facebook.com/#!/pages/Egenera/74312707811
http://twitter.com/#!/Egenera
http://www.linkedin.com/company/7909?trk=tyah

[Nfdump-discuss] Double counting with pfsense and softflowd

netflow collecting and processing tools

[Nfdump-discuss] Double counting with pfsense and softflowd