[flow-tools] udp packet sniffing

Mark Fullmer maf@eng.oar.net
Wed, 15 Jan 2003 12:32:08 -0500 

I've added a feature to flow-fanout which will optionally spoof the source
IP based on the exporter source.  If you want to test this before 0.64 is
out send me an e-mail.

mark

On Wed, Nov 20, 2002 at 09:46:45PM +0000, Derek Fage (lists account) wrote:
> Hmmm,
> 
> That's just made me think about a problem we've got.
> 
> I started using flow-fanout so that I could export to flows to another package as well as to flow-capture, but some of my filter scripts that identified flows by the router sending them stopped working.
> 
> I now realise that this is due to the source address issues in flow-fanout.
> 
> flow-fanout allows the spoofing of a source address, but only for all flows.
> 
> Does anybody haveany suggestions how I can handle this for flows from multiple routers?
> 
> Regards,
> 
> Derek...
> 
> 
> ---- Message from Simon Leinen <simon@limmat.switch.ch> at 19:45:59 2002-11-20 ------
> >On Sun, 10 Nov 2002 21:40:09 -0500, Mark Fullmer <maf@eng.oar.net> said:
> >> On Tue, Nov 05, 2002 at 09:09:35PM +0200, cougar@random.ee wrote:
> >> Samplicator is missing PDU decoding, so it's harder to isolate
> >> packet loss.
> >
> >Correct.  Personally I use a variant of samplicator that does decode
> >the PDUs, but I haven't put in a good way to log missing flows yet.
> >
> >> On the other hand flow-fanout is missing the ability to easly spoof
> >> the source IP.
> >
> >Feel free to steal the spoofing code from the samplicator - I tried to
> >make that pretty free-standing.  The code is in rawsend.[ch], and on
> >how to use it look for pf_SPOOF in samplicate.c.
> >
> >The ugly thing is that in order to be able to do this, the process
> >typically has to run with root privileges on Unix machines.
> >-- 
> >Simon Leinen				       simon@babar.switch.ch
> >SWITCH				   http://www.switch.ch/misc/leinen/
> >
> >	       Computers hate being anthropomorphized.
> >
> >_______________________________________________
> >flow-tools@splintered.net
> >http://www.splintered.net/sw/flow-tools
> >
> >________________________________________________________________________
> >This email has been scanned for all viruses by the MessageLabs SkyScan
> >service. For more information on a proactive anti-virus service working
> >around the clock, around the globe, visit http://www.messagelabs.com
> >________________________________________________________________________
> 
> 
>