The
node implements Cisco's NetFlow export protocol on a router running
Fx .
The
node listens for incoming traffic and identifies unique flows in it.
Flows are distinguished by endpoint IP addresses, TCP/UDP port numbers,
ToS and input interface.
Expired flows are exported out of the node in NetFlow version 5 UDP datagrams.
Expiration reason can be one of the following:
RST or FIN TCP segment.
Active timeout.
Flows cannot live more than the specified period of time.
The default is 1800 seconds (30 minutes).
Inactive timeout.
A flow was inactive for the specified period of time.
The default is 15 seconds.
Export information is stored in NetFlow version 5 datagrams.
HOOKS
This node type supports up to
NG_NETFLOW_MAXIFACES
hooks named
iface0 , iface1
etc.,
and the same number of hooks named
out0 , out1
etc.,
plus a single hook named
export
The node does NetFlow accounting of data received on
iface*
hooks.
If corresponding
out
hook is connected, unmodified data is bypassed to it, otherwise data is freed.
If data is received on
out
hook, it is bypassed to corresponding
iface
hook without any processing.
When full export datagram is built it is sent to the
export
hook.
In normal operation, the
export
hook is connected to the
inet/dgram/udp
hook of the
ng_ksocket4
node.
CONTROL MESSAGES
This node type supports the generic control messages, plus the following:
NGM_NETFLOW_INFO
Returns some node statistics and the current timeout values in a
Vt struct ng_netflow_info .
NGM_NETFLOW_IFINFO
Returns information about the
iface N
hook.
The hook number is passed as an argument.
NGM_NETFLOW_SETDLT
Sets data link type on the
iface N
hook.
Currently, supported types are raw IP datagrams and Ethernet.
This message type uses
Vt struct ng_netflow_setdlt
as an argument:
struct ng_netflow_setdlt {
uint16_t iface; /* which iface to operate on */
uint8_t dlt; /* DLT_XXX from bpf.h */
};
The requested
iface N
hook must already be connected, otherwise message send operation will
return an error.
NGM_NETFLOW_SETIFINDEX
In some cases,
may be unable to determine the input interface index of a packet.
This can happen if traffic enters the
node before it comes to the system interface's input queue.
An example of such a setup is capturing a traffic
between
synchronous data line and
ng_iface4.
In this case, the input index should be associated with a given hook.
The interface's index can be determined via
if_nametoindex3
from userland.
This message requires
Vt struct ng_netflow_setifindex
as an argument:
struct ng_netflow_setifindex {
u_int16_t iface; /* which iface to operate on */
u_int16_t index; /* new index */
};
The requested
iface N
hook must already be connected, otherwise the message
send operation will return an error.
NGM_NETFLOW_SETTIMEOUTS
Sets values in seconds for NetFlow active/inactive timeouts.
This message requires
Vt struct ng_netflow_settimeouts
as an argument:
This control message asks a node to dump the entire contents of the flow cache.
It is called from
flowctl(8),
not directly from
ngctl(8).
See also
Sx BUGS
section.
ASCII CONTROL MESSAGES
Most binary control messages have an
ASCII
equivalent.
The supported
ASCII
commands are:
NGM_NETFLOW_INFO
Qq Li info
NGM_NETFLOW_IFINFO
Qq Li ifinfo %u
NGM_NETFLOW_SETDLT
Qq Li setdlt { iface = %u dlt = %u }
NGM_NETFLOW_SETIFINDEX
Qq Li setifindex { iface = %u index = %u }
NGM_NETFLOW_SETTIMEOUTS
Qq Li settimeouts { inactive = %u active = %u }
SHUTDOWN
This node shuts down upon receipt of a
NGM_SHUTDOWN
control message, or when all hooks have been disconnected.
EXAMPLES
The simplest possible configuration is one Ethernet interface, where
flow collecting is enabled.
This is a more complicated example of a router with 2 NetFlow-enabled
interfaces
fxp0
and
ng0
Note that the
ng0:
node in this example is connected to
ng_tee4.
The latter sends us a copy of IP packets, which we analyze and free.
On
fxp0:
we do not use tee, but send packets back to ether node.
/usr/sbin/ngctl -f- <<-SEQ
# connect ng0's tee to iface0 hook
mkpeer ng0:inet netflow right2left iface0
name ng0:inet.right2left netflow
# set DLT to raw mode
msg netflow: setdlt { iface=0 dlt=12 }
# set interface index (5 in this example)
msg netflow: setifindex { iface=0 index=5 }
# Connect fxp0: to iface1 and out1 hook
connect fxp0: netflow: lower iface1
connect fxp0: netflow: upper out1
# Create ksocket node on export hook, and configure it
# to send exports to proper destination
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/10.0.0.1:4444
SEQ
An -nosplit
The
node type was written by
An Gleb Smirnoff Aq glebius@FreeBSD.org ,
based on
ng_ipacct
written by
An Roman V. Palagin Aq romanp@unshadow.net .
BUGS
Cache snapshot obtained via
NGM_NETFLOW_SHOW
command may lack some percentage of entries under severe load.
The
node type does not fill in AS numbers.
This is due to the lack of necessary information in the kernel routing table.
However, this information can be injected into the kernel from a routing daemon
such as GNU Zebra.
This functionality may become available in future releases.
