[netsa-tools-discuss] Is it possible to filter by device with Flowviewer if flow records are reported with overlaps?
Marius
wishinet at gmail.com
Fri Mar 18 07:05:23 EDT 2016
Hi,
we have multiple Netflow devices reporting into rwflowpack / SiLK.
We log them into the standard class all in SilK.
The sensors.conf is below.
* I have 2 border routers which send Netflow v9 to the SiLK box.
* And I have 1 network security appliance which sends Netflow to the SiLK
box.
The appliance generates the flow records from mirrored traffic.There is an
overlap here, which is intended for monitoring purposes (to account for the
scope).
Due to this overlap I get the flows reported twice when I query in
FlowGrapher, even though I select a device (like router1).
The reason for this is that Flowviewer uses
--data-rootdir=/data/ --type=all
for the SiLK selection query. It does not use the
--sensor parmeter like this:
/usr/local/bin/rwfilter --sensor=lhrEdge --proto=0-255 --pass=stdout
--type=all | rwcut | tail
The Device Name label in FlowViewer appears to be unused for SiLK if I am
correct.
Is there any way to change this?
Best,
Marius
p.s.: the sensors.conf:
% more sensors.conf
probe router1 netflow-v9
listen-on-port 2055
...
end probe
probe router2 netflow-v9
listen-on-port 2056
...
end probe
group my-network
ipblocks 1.2.3.0/21
ipblocks 10.0.0.0/8
end group
sensor router1
netflow-v9-probes router11
internal-ipblocks @my-network
external-ipblocks remainder
end sensor
sensor router2
netflow-v9-probes lhrEdge2
internal-ipblocks @my-network
external-ipblocks remainder
end sensor
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the netsa-tools-discuss
mailing list