Discussion:
Flow Tools
(too old to reply)
Paul Ammann
2018-03-13 15:39:52 UTC
Permalink
Raw Message
Hi

I've got a problem and I'm hoping OBSD may be able to solve my problem.

We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.

I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.

Are there any other tools that I may have missed that would help me solve my problem?

Thank you in advanced.

Paul
Peter N. M. Hansteen
2018-03-13 16:27:11 UTC
Permalink
Raw Message
On 03/13/18 16:39, Paul Ammann wrote:
> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>
> We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.

How do you generate the flows?

pflow(4) or some other method?

> I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.
>
> Are there any other tools that I may have missed that would help me solve my problem?

I had to check by configuring a second pflow interface on my home
gateway here, and it seems you can indeed have more than one pflow
interface (the other option that comes to mind is some fairly specific
rules for your netflow data with dup-to, but that may be pushing the
number of hoops to jump through too far).

Michael's book is probably still the best reference on netflow. I
describe a setup with pflow and nfsen at
http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html -
that post is from 2014 but the basics should still apply.

- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Tom Smyth
2018-03-13 16:44:57 UTC
Permalink
Raw Message
Paul ...
You could look at pmacct by Paulo Lucende he is a cool guy...
It has multiple flow aggregation and translation capabilities ...
I dont think it is in ports yet... id like to get off my ass and do it some
day as i think it is awesome ...



On 13 Mar 2018 12:08, "Paul Ammann" <***@fastmail.com> wrote:

> Hi
>
> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>
> We bought new firewalls in 2017, but they can only send flow traffic to a
> single destination. We need to send flow traffic to 3 destinations.
>
> I have a copy of Michael Lucas' book Network Flow Analysis, and I've been
> reading about flow-tools and flowd. Unfortunately there doesn't seem to
> have been a lot of development on these tools since 2010.
>
> Are there any other tools that I may have missed that would help me solve
> my problem?
>
> Thank you in advanced.
>
> Paul
>
>
Peter N. M. Hansteen
2018-03-13 17:03:19 UTC
Permalink
Raw Message
On 03/13/18 17:44, Tom Smyth wrote:
> Paul ...
> You could look at pmacct by Paulo Lucende he is a cool guy...
> It has multiple flow aggregation and translation capabilities ...
> I dont think it is in ports yet... id like to get off my ass and do it some
> day as i think it is awesome ...

pmacct is in ports - http://openports.se/net/pmacct so likely
straightforward to get started

- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Tom Smyth
2018-03-13 17:53:45 UTC
Permalink
Raw Message
Peter .... Thanks Buddy ... I dont know How I missed that :)

Got to try that out on OpenBSD So

Thanks for the Tipp Peter...



On 13 March 2018 at 17:03, Peter N. M. Hansteen <***@bsdly.net> wrote:
> On 03/13/18 17:44, Tom Smyth wrote:
>> Paul ...
>> You could look at pmacct by Paulo Lucende he is a cool guy...
>> It has multiple flow aggregation and translation capabilities ...
>> I dont think it is in ports yet... id like to get off my ass and do it some
>> day as i think it is awesome ...
>
> pmacct is in ports - http://openports.se/net/pmacct so likely
> straightforward to get started
>
> - P
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>



--
Kindest regards,
Tom Smyth

Mobile: +353 87 6193172
The information contained in this E-mail is intended only for the
confidential use of the named recipient. If the reader of this message
is not the intended recipient or the person responsible for
delivering it to the recipient, you are hereby notified that you have
received this communication in error and that any review,
dissemination or copying of this communication is strictly prohibited.
If you have received this in error, please notify the sender
immediately by telephone at the number above and erase the message
You are requested to carry out your own virus check before
opening any attachment.
Diana Eichert
2018-03-13 18:35:48 UTC
Permalink
Raw Message
I've been using samplicator to fanout UDP flow data for years.

https://github.com/sleinen/samplicator

diana


On Tue, 13 Mar 2018, Paul Ammann wrote:

> Hi
>
> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>
> We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.
>
> I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.
>
> Are there any other tools that I may have missed that would help me solve my problem?
>
> Thank you in advanced.
>
> Paul
>
>
>
Gregory Edigarov
2018-03-14 09:06:21 UTC
Permalink
Raw Message
Sorry, if I hijack the thread, but what do you guys use for netflow
analysis?
Only know nfsen in ports, but sometimes I need more versatile tool.

On 13.03.18 20:35, Diana Eichert wrote:
> I've been using samplicator to fanout UDP flow data for years.
>
> https://github.com/sleinen/samplicator
>
> diana
>
>
> On Tue, 13 Mar 2018, Paul Ammann wrote:
>
>> Hi
>>
>> I've got a problem and I'm hoping OBSD may be able to solve my problem.
>>
>> We bought new firewalls in 2017, but they can only send flow traffic
>> to a single destination. We need to send flow traffic to 3 destinations.
>>
>> I have a copy of Michael Lucas' book Network Flow Analysis, and I've
>> been reading about flow-tools and flowd. Unfortunately there doesn't
>> seem to have been a lot of development on these tools since 2010.
>>
>> Are there any other tools that I may have missed that would help me
>> solve my problem?
>>
>> Thank you in advanced.
>>
>> Paul
>>
>>
>>
>
Steve Pointer
2018-03-14 11:27:36 UTC
Permalink
Raw Message
On Wed, 14 Mar 2018, at 9:06 AM, Gregory Edigarov wrote:
> Sorry, if I hijack the thread, but what do you guys use for netflow
> analysis?
> Only know nfsen in ports, but sometimes I need more versatile tool.
>

R works for me.

https://www.r-project.org/

--
Steve P
Tommy Nevtelen
2018-03-14 12:41:00 UTC
Permalink
Raw Message
On 03/14/2018 10:06 AM, Gregory Edigarov wrote:
> Sorry, if I hijack the thread, but what do you guys use for netflow
> analysis?

This looks quite interesting https://github.com/robcowart/elastiflow
I have not tried it but would like to when time allows.

--
Tommy Nevtelen
Daniel Melameth
2018-03-14 18:29:36 UTC
Permalink
Raw Message
On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov <***@qarea.com> wrote:
> Sorry, if I hijack the thread, but what do you guys use for netflow
> analysis?
> Only know nfsen in ports, but sometimes I need more versatile tool.

nfdump is rather powerful if you don't need a pretty GUI; it's like
tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce
regular reports, but also run it ad hoc.
Diana Eichert
2018-03-14 22:20:01 UTC
Permalink
Raw Message
I 2nd nfdump, then again I like tcpdump too ;-)

On Wed, 14 Mar 2018, Daniel Melameth wrote:

> On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov <***@qarea.com> wrote:
>> Sorry, if I hijack the thread, but what do you guys use for netflow
>> analysis?
>> Only know nfsen in ports, but sometimes I need more versatile tool.
>
> nfdump is rather powerful if you don't need a pretty GUI; it's like
> tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce
> regular reports, but also run it ad hoc.
>
>
>
Michael Price
2018-03-16 14:25:55 UTC
Permalink
Raw Message
It seems nfdump in ports is a bit behind the latest version though. 1.6.15
in particular fixed a few security issues in nfcapd.

Is sthen still the contact person for the port? I suppose I could submit a
patch.

Michael

On Wed, Mar 14, 2018 at 6:41 PM Diana Eichert <***@wrench.com> wrote:

> I 2nd nfdump, then again I like tcpdump too ;-)
>
> On Wed, 14 Mar 2018, Daniel Melameth wrote:
>
> > On Wed, Mar 14, 2018 at 3:06 AM, Gregory Edigarov <***@qarea.com>
> wrote:
> >> Sorry, if I hijack the thread, but what do you guys use for netflow
> >> analysis?
> >> Only know nfsen in ports, but sometimes I need more versatile tool.
> >
> > nfdump is rather powerful if you don't need a pretty GUI; it's like
> > tcpdump, but for NetFlow/IPFIX data. I have it scripted to produce
> > regular reports, but also run it ad hoc.
> >
> >
> >
>
>
Stuart Henderson
2018-03-16 16:28:27 UTC
Permalink
Raw Message
On 2018-03-16, Michael Price <***@ectospheno.com> wrote:
> It seems nfdump in ports is a bit behind the latest version though. 1.6.15
> in particular fixed a few security issues in nfcapd.
>
> Is sthen still the contact person for the port? I suppose I could submit a
> patch.

Oh, it moved so portroach no longer picks it up. Can you try this diff please?

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/nfdump/Makefile,v
retrieving revision 1.21
diff -u -p -r1.21 Makefile
--- Makefile 10 Sep 2016 13:03:42 -0000 1.21
+++ Makefile 16 Mar 2018 16:30:05 -0000
@@ -3,24 +3,23 @@
COMMENT-main = tools to collect and process netflow data
COMMENT-nfprofile = filters data from nfdump according to profiles

-V = 1.6.13
-DISTNAME = nfdump-$V
+V = 1.6.16
+GH_ACCOUNT = phaag
+GH_PROJECT = nfdump
+GH_TAGNAME = v$V
FULLPKGNAME-main = nfdump-$V
FULLPKGNAME-nfprofile = nfprofile-$V
-REVISION-main = 0
-REVISION-nfprofile = 0
+
+SHARED_LIBS += nfdump 0.0 # 0.0

CATEGORIES = net
-HOMEPAGE = http://nfdump.sourceforge.net/

MAINTAINER = Stuart Henderson <***@openbsd.org>

# BSD
PERMIT_PACKAGE_CDROM = Yes

-WANTLIB = c z
-
-MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=nfdump/}
+WANTLIB = bz2 c z

CONFIGURE_STYLE = gnu

@@ -35,11 +34,18 @@ CONFIGURE_ARGS += --enable-compat15 \

MULTI_PACKAGES = -main -nfprofile

-LIB_DEPENDS-main = net/flow-tools>=0.68.5
+LIB_DEPENDS-main = archivers/bzip2 \
+ net/flow-tools>=0.68.5
WANTLIB-main = ${WANTLIB} ft
+
LIB_DEPENDS-nfprofile = net/rrdtool
-WANTLIB-nfprofile = ${WANTLIB} pthread rrd
RUN_DEPENDS-nfprofile = nfdump-$V:net/nfdump,-main
+WANTLIB-nfprofile = ${WANTLIB}
+WANTLIB-nfprofile += X11 Xext Xrender cairo expat ffi fontconfig freetype
+WANTLIB-nfprofile += glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz
+WANTLIB-nfprofile += iconv intl lzma m nfdump pango-1.0 pangocairo-1.0
+WANTLIB-nfprofile += pangoft2-1.0 pcre pixman-1 png pthread rrd xcb
+WANTLIB-nfprofile += xcb-render xcb-shm xml2

REORDER_DEPENDENCIES += ${PORTSDIR}/infrastructure/mk/automake.dep

Index: distinfo
===================================================================
RCS file: /cvs/ports/net/nfdump/distinfo,v
retrieving revision 1.9
diff -u -p -r1.9 distinfo
--- distinfo 17 Dec 2014 14:53:43 -0000 1.9
+++ distinfo 16 Mar 2018 16:30:05 -0000
@@ -1,2 +1,2 @@
-SHA256 (nfdump-1.6.13.tar.gz) = JRUzwxbJ/llTEvR3zbBR6cZnUX9J+3rFtDJJVzDkVpM=
-SIZE (nfdump-1.6.13.tar.gz) = 662006
+SHA256 (nfdump-1.6.16.tar.gz) = sYR5IVxRqY+9+XPvVIRkeA56nZ9/5z5Pq5q37Io73I8=
+SIZE (nfdump-1.6.16.tar.gz) = 1814857
Index: patches/patch-bin_Makefile_in
===================================================================
RCS file: patches/patch-bin_Makefile_in
diff -N patches/patch-bin_Makefile_in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-bin_Makefile_in 16 Mar 2018 16:30:05 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: bin/Makefile.in
+--- bin/Makefile.in.orig
++++ bin/Makefile.in
+@@ -709,7 +709,7 @@ launch = launch.c launch.h
+ lib_LTLIBRARIES = libnfdump.la
+ libnfdump_la_SOURCES = $(common) $(util) $(filelzo) $(nflist) $(filter) $(exporter)
+ #libnfdump_la_LIBADD = -lz
+-libnfdump_la_LDFLAGS = -release 1.6.15
++libnfdump_la_LDFLAGS =
+ nfdump_SOURCES = nfdump.c nfdump.h nfstat.c nfstat.h nfexport.c nfexport.h \
+ $(nflowcache) $(nfprof)
+
Index: patches/patch-bin_util_c
===================================================================
RCS file: /cvs/ports/net/nfdump/patches/patch-bin_util_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-bin_util_c
--- patches/patch-bin_util_c 10 Sep 2016 13:03:42 -0000 1.1
+++ patches/patch-bin_util_c 16 Mar 2018 16:30:05 -0000
@@ -1,7 +1,8 @@
$OpenBSD: patch-bin_util_c,v 1.1 2016/09/10 13:03:42 ajacoutot Exp $
---- bin/util.c.orig Sat Sep 10 10:34:01 2016
-+++ bin/util.c Sat Sep 10 10:35:46 2016
-@@ -41,6 +41,7 @@
+Index: bin/util.c
+--- bin/util.c.orig
++++ bin/util.c
+@@ -38,6 +38,7 @@
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
Index: pkg/PLIST-main
===================================================================
RCS file: /cvs/ports/net/nfdump/pkg/PLIST-main,v
retrieving revision 1.5
diff -u -p -r1.5 PLIST-main
--- pkg/PLIST-main 3 May 2013 01:16:36 -0000 1.5
+++ pkg/PLIST-main 16 Mar 2018 16:30:05 -0000
@@ -8,6 +8,9 @@
@bin bin/nfexpire
@bin bin/nfreplay
@bin bin/sfcapd
+lib/libnfdump.a
+lib/libnfdump.la
+@lib lib/libnfdump.so.${LIBnfdump_VERSION}
@man man/man1/ft2nfdump.1
@man man/man1/nfanon.1
@man man/man1/nfcapd.1
Michael Price
2018-03-16 19:18:03 UTC
Permalink
Raw Message
It will be a bit before I am at a machine to build ports. Only have access
to virtual machines running small instances right now. I would be happy to
test it tonight though.

Michael

On Fri, Mar 16, 2018 at 12:34 PM Stuart Henderson <***@spacehopper.org>
wrote:

> On 2018-03-16, Michael Price <***@ectospheno.com> wrote:
> > It seems nfdump in ports is a bit behind the latest version though.
> 1.6.15
> > in particular fixed a few security issues in nfcapd.
> >
> > Is sthen still the contact person for the port? I suppose I could submit
> a
> > patch.
>
> Oh, it moved so portroach no longer picks it up. Can you try this diff
> please?
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/nfdump/Makefile,v
> retrieving revision 1.21
> diff -u -p -r1.21 Makefile
> --- Makefile 10 Sep 2016 13:03:42 -0000 1.21
> +++ Makefile 16 Mar 2018 16:30:05 -0000
> @@ -3,24 +3,23 @@
> COMMENT-main = tools to collect and process netflow data
> COMMENT-nfprofile = filters data from nfdump according to profiles
>
> -V = 1.6.13
> -DISTNAME = nfdump-$V
> +V = 1.6.16
> +GH_ACCOUNT = phaag
> +GH_PROJECT = nfdump
> +GH_TAGNAME = v$V
> FULLPKGNAME-main = nfdump-$V
> FULLPKGNAME-nfprofile = nfprofile-$V
> -REVISION-main = 0
> -REVISION-nfprofile = 0
> +
> +SHARED_LIBS += nfdump 0.0 # 0.0
>
> CATEGORIES = net
> -HOMEPAGE = http://nfdump.sourceforge.net/
>
> MAINTAINER = Stuart Henderson <***@openbsd.org>
>
> # BSD
> PERMIT_PACKAGE_CDROM = Yes
>
> -WANTLIB = c z
> -
> -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=nfdump/}
> +WANTLIB = bz2 c z
>
> CONFIGURE_STYLE = gnu
>
> @@ -35,11 +34,18 @@ CONFIGURE_ARGS += --enable-compat15 \
>
> MULTI_PACKAGES = -main -nfprofile
>
> -LIB_DEPENDS-main = net/flow-tools>=0.68.5
> +LIB_DEPENDS-main = archivers/bzip2 \
> + net/flow-tools>=0.68.5
> WANTLIB-main = ${WANTLIB} ft
> +
> LIB_DEPENDS-nfprofile = net/rrdtool
> -WANTLIB-nfprofile = ${WANTLIB} pthread rrd
> RUN_DEPENDS-nfprofile = nfdump-$V:net/nfdump,-main
> +WANTLIB-nfprofile = ${WANTLIB}
> +WANTLIB-nfprofile += X11 Xext Xrender cairo expat ffi fontconfig freetype
> +WANTLIB-nfprofile += glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz
> +WANTLIB-nfprofile += iconv intl lzma m nfdump pango-1.0 pangocairo-1.0
> +WANTLIB-nfprofile += pangoft2-1.0 pcre pixman-1 png pthread rrd xcb
> +WANTLIB-nfprofile += xcb-render xcb-shm xml2
>
> REORDER_DEPENDENCIES += ${PORTSDIR}/infrastructure/mk/automake.dep
>
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/net/nfdump/distinfo,v
> retrieving revision 1.9
> diff -u -p -r1.9 distinfo
> --- distinfo 17 Dec 2014 14:53:43 -0000 1.9
> +++ distinfo 16 Mar 2018 16:30:05 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (nfdump-1.6.13.tar.gz) =
> JRUzwxbJ/llTEvR3zbBR6cZnUX9J+3rFtDJJVzDkVpM=
> -SIZE (nfdump-1.6.13.tar.gz) = 662006
> +SHA256 (nfdump-1.6.16.tar.gz) =
> sYR5IVxRqY+9+XPvVIRkeA56nZ9/5z5Pq5q37Io73I8=
> +SIZE (nfdump-1.6.16.tar.gz) = 1814857
> Index: patches/patch-bin_Makefile_in
> ===================================================================
> RCS file: patches/patch-bin_Makefile_in
> diff -N patches/patch-bin_Makefile_in
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-bin_Makefile_in 16 Mar 2018 16:30:05 -0000
> @@ -0,0 +1,14 @@
> +$OpenBSD$
> +
> +Index: bin/Makefile.in
> +--- bin/Makefile.in.orig
> ++++ bin/Makefile.in
> +@@ -709,7 +709,7 @@ launch = launch.c launch.h
> + lib_LTLIBRARIES = libnfdump.la
> + libnfdump_la_SOURCES = $(common) $(util) $(filelzo) $(nflist) $(filter)
> $(exporter)
> + #libnfdump_la_LIBADD = -lz
> +-libnfdump_la_LDFLAGS = -release 1.6.15
> ++libnfdump_la_LDFLAGS =
> + nfdump_SOURCES = nfdump.c nfdump.h nfstat.c nfstat.h nfexport.c
> nfexport.h \
> + $(nflowcache) $(nfprof)
> +
> Index: patches/patch-bin_util_c
> ===================================================================
> RCS file: /cvs/ports/net/nfdump/patches/patch-bin_util_c,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-bin_util_c
> --- patches/patch-bin_util_c 10 Sep 2016 13:03:42 -0000 1.1
> +++ patches/patch-bin_util_c 16 Mar 2018 16:30:05 -0000
> @@ -1,7 +1,8 @@
> $OpenBSD: patch-bin_util_c,v 1.1 2016/09/10 13:03:42 ajacoutot Exp $
> ---- bin/util.c.orig Sat Sep 10 10:34:01 2016
> -+++ bin/util.c Sat Sep 10 10:35:46 2016
> -@@ -41,6 +41,7 @@
> +Index: bin/util.c
> +--- bin/util.c.orig
> ++++ bin/util.c
> +@@ -38,6 +38,7 @@
> #include <stdio.h>
> #include <unistd.h>
> #include <stdlib.h>
> Index: pkg/PLIST-main
> ===================================================================
> RCS file: /cvs/ports/net/nfdump/pkg/PLIST-main,v
> retrieving revision 1.5
> diff -u -p -r1.5 PLIST-main
> --- pkg/PLIST-main 3 May 2013 01:16:36 -0000 1.5
> +++ pkg/PLIST-main 16 Mar 2018 16:30:05 -0000
> @@ -8,6 +8,9 @@
> @bin bin/nfexpire
> @bin bin/nfreplay
> @bin bin/sfcapd
> +lib/libnfdump.a
> +lib/libnfdump.la
> +@lib lib/libnfdump.so.${LIBnfdump_VERSION}
> @man man/man1/ft2nfdump.1
> @man man/man1/nfanon.1
> @man man/man1/nfcapd.1
>
>
>
Michael Price
2018-03-16 22:54:53 UTC
Permalink
Raw Message
On a 6.2 box with 6.2 ports and diff applied I get this. Let me know if I'm
doing something silly - usually use packages.


===> Verifying specs: bz2 c z ft bz2 c z X11 Xext Xrender cairo expat
ffi fontconfig freetype glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz
iconv intl lzma m nfdump pango-1.0 pangocairo-1.0 pangoft2-1.0 pcre
pixman-1 png pthread rrd xcb xcb-render xcb-shm xml2

Missing library for nfdump>=0.0

Fatal error

*** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2182
'/usr/ports/pobj/nfdump-1.6.16/.buildwantlibs')

*** Error 1 in /home/ports/net/nfdump (/usr/ports/infrastructure/mk/
bsd.port.mk:2425 'all')


On Fri, Mar 16, 2018 at 3:18 PM, Michael Price <***@ectospheno.com>
wrote:

> It will be a bit before I am at a machine to build ports. Only have access
> to virtual machines running small instances right now. I would be happy to
> test it tonight though.
>
> Michael
>
> On Fri, Mar 16, 2018 at 12:34 PM Stuart Henderson <***@spacehopper.org>
> wrote:
>
>> On 2018-03-16, Michael Price <***@ectospheno.com> wrote:
>> > It seems nfdump in ports is a bit behind the latest version though.
>> 1.6.15
>> > in particular fixed a few security issues in nfcapd.
>> >
>> > Is sthen still the contact person for the port? I suppose I could
>> submit a
>> > patch.
>>
>> Oh, it moved so portroach no longer picks it up. Can you try this diff
>> please?
>>
>> Index: Makefile
>> ===================================================================
>> RCS file: /cvs/ports/net/nfdump/Makefile,v
>> retrieving revision 1.21
>> diff -u -p -r1.21 Makefile
>> --- Makefile 10 Sep 2016 13:03:42 -0000 1.21
>> +++ Makefile 16 Mar 2018 16:30:05 -0000
>> @@ -3,24 +3,23 @@
>> COMMENT-main = tools to collect and process netflow data
>> COMMENT-nfprofile = filters data from nfdump according to profiles
>>
>> -V = 1.6.13
>> -DISTNAME = nfdump-$V
>> +V = 1.6.16
>> +GH_ACCOUNT = phaag
>> +GH_PROJECT = nfdump
>> +GH_TAGNAME = v$V
>> FULLPKGNAME-main = nfdump-$V
>> FULLPKGNAME-nfprofile = nfprofile-$V
>> -REVISION-main = 0
>> -REVISION-nfprofile = 0
>> +
>> +SHARED_LIBS += nfdump 0.0 # 0.0
>>
>> CATEGORIES = net
>> -HOMEPAGE = http://nfdump.sourceforge.net/
>>
>> MAINTAINER = Stuart Henderson <***@openbsd.org>
>>
>> # BSD
>> PERMIT_PACKAGE_CDROM = Yes
>>
>> -WANTLIB = c z
>> -
>> -MASTER_SITES = ${MASTER_SITE_SOURCEFORGE:=nfdump/}
>> +WANTLIB = bz2 c z
>>
>> CONFIGURE_STYLE = gnu
>>
>> @@ -35,11 +34,18 @@ CONFIGURE_ARGS += --enable-compat15 \
>>
>> MULTI_PACKAGES = -main -nfprofile
>>
>> -LIB_DEPENDS-main = net/flow-tools>=0.68.5
>> +LIB_DEPENDS-main = archivers/bzip2 \
>> + net/flow-tools>=0.68.5
>> WANTLIB-main = ${WANTLIB} ft
>> +
>> LIB_DEPENDS-nfprofile = net/rrdtool
>> -WANTLIB-nfprofile = ${WANTLIB} pthread rrd
>> RUN_DEPENDS-nfprofile = nfdump-$V:net/nfdump,-main
>> +WANTLIB-nfprofile = ${WANTLIB}
>> +WANTLIB-nfprofile += X11 Xext Xrender cairo expat ffi fontconfig freetype
>> +WANTLIB-nfprofile += glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz
>> +WANTLIB-nfprofile += iconv intl lzma m nfdump pango-1.0 pangocairo-1.0
>> +WANTLIB-nfprofile += pangoft2-1.0 pcre pixman-1 png pthread rrd xcb
>> +WANTLIB-nfprofile += xcb-render xcb-shm xml2
>>
>> REORDER_DEPENDENCIES += ${PORTSDIR}/infrastructure/mk/automake.dep
>>
>> Index: distinfo
>> ===================================================================
>> RCS file: /cvs/ports/net/nfdump/distinfo,v
>> retrieving revision 1.9
>> diff -u -p -r1.9 distinfo
>> --- distinfo 17 Dec 2014 14:53:43 -0000 1.9
>> +++ distinfo 16 Mar 2018 16:30:05 -0000
>> @@ -1,2 +1,2 @@
>> -SHA256 (nfdump-1.6.13.tar.gz) = JRUzwxbJ/llTEvR3zbBR6cZnUX9J+
>> 3rFtDJJVzDkVpM=
>> -SIZE (nfdump-1.6.13.tar.gz) = 662006
>> +SHA256 (nfdump-1.6.16.tar.gz) = sYR5IVxRqY+9+XPvVIRkeA56nZ9/
>> 5z5Pq5q37Io73I8=
>> +SIZE (nfdump-1.6.16.tar.gz) = 1814857
>> Index: patches/patch-bin_Makefile_in
>> ===================================================================
>> RCS file: patches/patch-bin_Makefile_in
>> diff -N patches/patch-bin_Makefile_in
>> --- /dev/null 1 Jan 1970 00:00:00 -0000
>> +++ patches/patch-bin_Makefile_in 16 Mar 2018 16:30:05 -0000
>> @@ -0,0 +1,14 @@
>> +$OpenBSD$
>> +
>> +Index: bin/Makefile.in
>> +--- bin/Makefile.in.orig
>> ++++ bin/Makefile.in
>> +@@ -709,7 +709,7 @@ launch = launch.c launch.h
>> + lib_LTLIBRARIES = libnfdump.la
>> + libnfdump_la_SOURCES = $(common) $(util) $(filelzo) $(nflist) $(filter)
>> $(exporter)
>> + #libnfdump_la_LIBADD = -lz
>> +-libnfdump_la_LDFLAGS = -release 1.6.15
>> ++libnfdump_la_LDFLAGS =
>> + nfdump_SOURCES = nfdump.c nfdump.h nfstat.c nfstat.h nfexport.c
>> nfexport.h \
>> + $(nflowcache) $(nfprof)
>> +
>> Index: patches/patch-bin_util_c
>> ===================================================================
>> RCS file: /cvs/ports/net/nfdump/patches/patch-bin_util_c,v
>> retrieving revision 1.1
>> diff -u -p -r1.1 patch-bin_util_c
>> --- patches/patch-bin_util_c 10 Sep 2016 13:03:42 -0000 1.1
>> +++ patches/patch-bin_util_c 16 Mar 2018 16:30:05 -0000
>> @@ -1,7 +1,8 @@
>> $OpenBSD: patch-bin_util_c,v 1.1 2016/09/10 13:03:42 ajacoutot Exp $
>> ---- bin/util.c.orig Sat Sep 10 10:34:01 2016
>> -+++ bin/util.c Sat Sep 10 10:35:46 2016
>> -@@ -41,6 +41,7 @@
>> +Index: bin/util.c
>> +--- bin/util.c.orig
>> ++++ bin/util.c
>> +@@ -38,6 +38,7 @@
>> #include <stdio.h>
>> #include <unistd.h>
>> #include <stdlib.h>
>> Index: pkg/PLIST-main
>> ===================================================================
>> RCS file: /cvs/ports/net/nfdump/pkg/PLIST-main,v
>> retrieving revision 1.5
>> diff -u -p -r1.5 PLIST-main
>> --- pkg/PLIST-main 3 May 2013 01:16:36 -0000 1.5
>> +++ pkg/PLIST-main 16 Mar 2018 16:30:05 -0000
>> @@ -8,6 +8,9 @@
>> @bin bin/nfexpire
>> @bin bin/nfreplay
>> @bin bin/sfcapd
>> +lib/libnfdump.a
>> +lib/libnfdump.la
>> +@lib lib/libnfdump.so.${LIBnfdump_VERSION}
>> @man man/man1/ft2nfdump.1
>> @man man/man1/nfanon.1
>> @man man/man1/nfcapd.1
>>
>>
>>
Stuart Henderson
2018-03-16 23:07:28 UTC
Permalink
Raw Message
On 2018/03/16 18:54, Michael Price wrote:
> On a 6.2 box with 6.2 ports and diff applied I get this. Let me know if I'm doing something
> silly - usually use packages.
>
>
> ===>  Verifying specs:  bz2 c z ft bz2 c z  X11 Xext Xrender cairo expat ffi fontconfig
> freetype glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz iconv intl lzma m nfdump pango-1.0
> pangocairo-1.0 pangoft2-1.0 pcre pixman-1 png pthread rrd xcb xcb-render xcb-shm xml2
>
> Missing library for nfdump>=0.0

Ah I see what this is, please add

net/nfdump,-main

to LIB_DEPENDS-nfprofile in the port's Makefile.
Michael Price
2018-03-17 00:02:16 UTC
Permalink
Raw Message
On Fri, Mar 16, 2018 at 7:07 PM Stuart Henderson <***@spacehopper.org>
wrote:

> On 2018/03/16 18:54, Michael Price wrote:
> > On a 6.2 box with 6.2 ports and diff applied I get this. Let me know if
> I'm doing something
> > silly - usually use packages.
> >
> >
> > ===> Verifying specs: bz2 c z ft bz2 c z X11 Xext Xrender cairo expat
> ffi fontconfig
> > freetype glib-2.0 gobject-2.0 graphite2 gthread-2.0 harfbuzz iconv intl
> lzma m nfdump pango-1.0
> > pangocairo-1.0 pangoft2-1.0 pcre pixman-1 png pthread rrd xcb xcb-render
> xcb-shm xml2
> >
> > Missing library for nfdump>=0.0
>
> Ah I see what this is, please add
>
> net/nfdump,-main
>
> to LIB_DEPENDS-nfprofile in the port's Makefile.
>
> That did the trick. I only built on amd64. Installed on a machine already
running nfcapd. Seems to be running fine and nfdump parses old and new
files.

Michael
Paul Ammann
2018-03-22 16:46:53 UTC
Permalink
Raw Message
The problem with flow-tools is that they don't work with Netflow v9.

I did find a UDP fanout device that worksjust as well: https://www.dcbnet.com/datasheet/pr6602ds.html


On Wed, Mar 14, 2018, at 9:39 AM, Michael W. Lucas wrote:
>
> So long as you're on IPv4, flow-tools-ng is pretty decent. They
> haven't been updated because they work well enough. Not grand, but
> okay.
>
> And thanks for buying my book!
>
> ==ml
>
> On Tue, Mar 13, 2018 at 11:39:52AM -0400, Paul Ammann wrote:
> > Hi
> >
> > I've got a problem and I'm hoping OBSD may be able to solve my problem.
> >
> > We bought new firewalls in 2017, but they can only send flow traffic to a single destination. We need to send flow traffic to 3 destinations.
> >
> > I have a copy of Michael Lucas' book Network Flow Analysis, and I've been reading about flow-tools and flowd. Unfortunately there doesn't seem to have been a lot of development on these tools since 2010.
> >
> > Are there any other tools that I may have missed that would help me solve my problem?
> >
> > Thank you in advanced.
> >
> > Paul
>
> --
> Michael W. Lucas https://mwl.io/
> nonfiction: https://www.michaelwlucas.com/
> fiction: https://www.michaelwarrenlucas.com/
Loading...