netflow analyzer counts incoming traffic as outgoing too

netflow analyzer counts incoming traffic as outgoing too

os:
free62# uname -a
FreeBSD free62.domain.ru 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri May 25 14:50:17 MSD 2007 aleksey@free62.domain.ru:/usr/obj/usr/src/sys/CUBXL i386

i've configured netgraph as shown below:
http://forum.bestcom.ru/htmlart/unix/ng_img/ng_img03.png
nodes're united between each other:
+ show netflow:
Name: netflow Type: netflow ID: 00000011 Num hooks: 5
Local hook Peer name Peer type Peer ID Peer hook
---------- --------- --------- ------- ---------
export <unnamed> ksocket 00000013 inet/dgram/udp
out0 splitlow split 00000010 in
iface0 splitup split 00000012 out
out1 splitup split 00000012 in
iface1 splitlow split 00000010 out
+ show splitup:
Name: splitup Type: split ID: 00000012 Num hooks: 3
Local hook Peer name Peer type Peer ID Peer hook
---------- --------- --------- ------- ---------
out netflow netflow 00000011 iface0
mixed fxp0 ether 00000001 upper
in netflow netflow 00000011 out1
+ show splitlow:
Name: splitlow Type: split ID: 00000010 Num hooks: 3
Local hook Peer name Peer type Peer ID Peer hook
---------- --------- --------- ------- ---------
in netflow netflow 00000011 out0
out netflow netflow 00000011 iface1
mixed fxp0 ether 00000001 lower






















network configuration:
free62# ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet 10.0.2.31 netmask 0xfffff000 broadcast 10.0.15.255
ether 00:02:b3:2e:e3:d7
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet 192.168.25.4 netmask 0xffffff00 broadcast 192.168.25.255
ether 00:50:8b:5e:70:5a
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
dc0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
ether 00:08:a1:93:ba:56
media: Ethernet autoselect (none)
status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
pfsync0: flags=0<> mtu 2020
syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000























fxp0 is external interface, fxp1 is internal one.
try to make lynx, in result i downloaded 2.25mb from internet, but report shows that outgoing traffic simply equals incoming one; custom report in netflow analyzer 5.5:

incoming traffic:
IN Traffic Details Showing 1 to 5
Source IP Destination IP Application Source Port Dest . Port Protocol ToS TCP FLAGS Traffic No of Packets
I D T R C
204.152.184.112 10.0.2.31 http 80 54644 TCP 0 N N N N AP SF 2.25 MB 1580
216.59.154.35 10.0.2.31 http 80 65210 TCP 0 N N N N AP S 176.62 KB 129
144.122.166.16 10.0.2.31 http 80 55221 TCP 0 N N N N AP SF 26.25 KB 20
204.152.184.112 10.0.2.31 http 80 60542 TCP 0 N N N N AP SF 789.0 Bytes 5
216.59.154.36 10.0.2.31 http 80 58525 TCP 0 N N N N A S 192.0 Bytes 3






outgoing traffic:
OUT Traffic Details Showing 1 to 10
Source IP Destination IP Application Source Port Dest . Port Protocol ToS TCP FLAGS Traffic No of Packets
I D T R C
!!! 204.152.184.112 10.0.2.31 http 80 54644 TCP 0 N N N N AP SF 2.25 MB 1580 !!!
!!! 216.59.154.35 10.0.2.31 http 80 65210 TCP 0 N N N N AP S 176.62 KB 129 !!!
10.0.2.31 204.152.184.112 http 54644 80 TCP 0 N N N N AP SF 55.41 KB 1063
!!! 144.122.166.16 10.0.2.31 http 80 55221 TCP 0 N N N N AP SF 26.25 KB 20 !!!
10.0.2.31 216.59.154.35 http 65210 80 TCP 0 N N N N AP SF 6.86 KB 117
10.0.2.31 144.122.166.16 http 55221 80 TCP 0 N N N N AP SF 965.0 Bytes 16
!!! 204.152.184.112 10.0.2.31 http 80 60542 TCP 0 N N N N AP SF 789.0 Bytes 5 !!!
10.0.2.31 204.152.184.112 http 60542 80 TCP 0 N N N N AP SF 395.0 Bytes 5
!!! 216.59.154.36 10.0.2.31 http 80 58525 TCP 0 N N N N A S 192.0 Bytes 3 !!!
10.0.2.31 216.59.154.36 http 58525 80 TCP 0 N N N N S 64.0 Bytes 1











why incoming traffic value also is used by outgoing traffic calculation?
netgraph's script:
#!/bin/sh
kldload ng_ether
kldload ng_netflow
kldload ng_split

/usr/sbin/ngctl -f- <<-SEQ
mkpeer fxp0: split lower mixed
name fxp0:lower splitlow
mkpeer splitlow: netflow out iface1

name splitlow:out netflow
mkpeer netflow: split out1 in

name netflow:out1 splitup

connect splitup: fxp0: mixed upper
connect splitup: netflow: out iface0
connect splitlow: netflow: in out0

mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export bind inet/192.168.25.4:9996
msg netflow:export connect inet/192.168.25.11:9996
SEQ




































              New to ADManager Plus?

                New to ADSelfService Plus?