[Nfsen-discuss] duplicate flows
Netflow visualisation and investigation tool
Brought to you by:
phaag
Menu
▾
▴
[Nfsen-discuss] duplicate flows
|
From: <ced...@gm...> - 2006-07-25 09:01:33
|
hy nf-users, Using nfsen and nfcapd from a few weeks, I'm now trying to install a scan detector on my network. Ipflow's one seems an efficient one. As i still want to use nfsen, i need to duplicate the flows I receive to 2 others ports. I tried Pascal Gloor nfsplit tool but can't find how duplicate all traffic coming from a defined router, using this config local:129.20.x.x:9998 flow:129.20.y.z:0:129.20.x.x:9995 Don't seems to work, nfsplit run correctly but looking with ethereal, nothing comes on 9995 port. Maybe isn't there any option to re-export all flows. I also tried netmet tool (netMetdup), very simple one but once running, the flows coming on 9995 port seems to not contain datas (headers ?). An other solution could be to declare an other destination/port on the router but there is an limit of 2 address and the IOS refuse exporting twice to the same destination address. Did somebody always had this problem ? Is there an other way to duplicate flows ? I'm running ubuntu 6 on a gx270 dell. nfsen works properly without duplicator (so the flows well formed by the routers) A cisco 6513 export V5 netflows and a 7204 export V9 flows. the same problem appears on both. Thanks for help |
