[maf@eng.oar.net: Re: [flow-tools] flow-fanout]

Mark Fullmer maf@eng.oar.net
Thu, 23 Jan 2003 18:18:32 -0500 

----- Forwarded message from Mark Fullmer <maf@eng.oar.net> -----

Date: Wed, 22 Jan 2003 12:45:48 -0500
From: Mark Fullmer <maf@eng.oar.net>
To: "Ramarajan, Arvind, ALCNS" <aramarajan@att.com>
Cc: flow-tools@splintered.net
Subject: Re: [flow-tools] flow-fanout
X-Mailer: Mutt 1.0i

To accept flows on port 2055, send a copy to localhost port 2077 and a remote
host 1.2.3.4 port 2055 use:

flow-fanout 0/0/2055 0/127.0.0.1/2077 0/1.2.3.4/2055

If you have multiple routers sending to port 2055 the replicated flows
will all have the same source IP address, which may be a problem.  One
way to work around this is to have each router send to a different port
and run a flow-fanout/flow-capture instance for each router.

There might be a better way to do this in 0.64.  Currently I have source
IP spoofing implemented but but in a way which can handle multiple routers --
have to regen the sequence numbers to do this correctly since flow-fanout
can modify the flows with a filter now.

mark

mark

On Fri, Dec 27, 2002 at 02:25:04PM -0500, Ramarajan, Arvind, ALCNS wrote:
> 
> 	Hi,
> 	 'am trying to use flow-fanout to replicate the netflow data
> 	locally on the same server as well as another server. Following
> 	the instructions in the man pages does not seem to work.
> 	Scenario:
> 
> 	Server A: Receives V5 netflow from a bunch of routers on port 2055.
> 	Here i want to receive the flow on port 2055 and replicate it to
> 	2055 on Server B and also replicate locally on say port 2077 locally
> 	and run flow-capture locally on port 2077.
> 
> 	Server B: Want to run flow-capture on port 2055 locally on the replicated
> 	netflow data from server A.
> 
> 	I want to cross compare across the servers, with new stuff on Server B
> 	and let the old Server A un-disturbed. The new stuff is some thing home
> 	grown. 
> 						TIA -->
> 						    Arvind.
> 
> Arvind Ramarajan
> IP Network Management Architecture & Implementation
> AT&T
> 200 Laurel Av. S
> Room: C2-2B38
> Middletown NJ - 07748
> Phone: (732)-420-2243
> Fax: (732)-368-1601
> 
> 
> _______________________________________________
> flow-tools@splintered.net
> http://www.splintered.net/sw/flow-tools

----- End forwarded message -----