What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Monitor PFsense with 2 lans with Softflowd /Netflow

Votes:

0

I want to monitor a PFsense router with 3 Interfaces. WAN= [bge0] /LAN= [em1] /Optional= [em0] Softflowd is installed on the PFsense router with the following configuration. softflowd -i em1 -v 5 -m 65000 -n 192.168.0.4:9997 -t maxlife=5m

The Optional [em0] Interface is a second Lan connecting to another network. How do I setup netflow sensors for IP's on Lan [em1] and filter out ALL traffic between em1 and em0 so only traffic between em1 and Bge0 is counted?

exclude-traffic netflow pfsense

Created on Jul 31, 2011 11:26:17 AM



4 Replies

Votes:

0

I have since changed Softflowd config too-- softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m.

Created on Aug 1, 2011 1:17:13 PM



Votes:

0

I've created several Netflow V 9 sensor udp port 9996 time out 6 minutes. Include filter IP[192.168.25.40] and several more with different IP's

Checking the top list of any filter say from 11.00 AM too 11:15 AM the #1 and #2 items are well over 3,000 KByts plus several more above 500 KByts. This is a 15 minute span in toplist. If I go to history and choose 10:am to 11:am I see total usage of just over 1,000KByts.

Now if toplists shows what looks like correct usage why does it not show up in the history or live data.

Created on Aug 4, 2011 3:42:55 PM



Votes:

0

In stead of playing with include filters on your PRTG sensor you can use a Berkley Packet Filter (tcpdump syntax) at the end of your softflowd execution line. Something like this:

If all of the networks on em1 and Bge0 are known:

softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m "net em1_NET and net Bge0_NET"

If all of the possible subnets are not known on one of the interfaces then, assuming you have only one other interface em0 change the filter to something like:
"not net em0_NET"

Created on Aug 18, 2011 2:49:11 PM



Votes:

0

Thanks for the tip. When I tried it I got Unknown error

[2.0-RC3][[email protected]]/root(2): softflowd -i em1 -v 9 -m 65000 -n 192.168.0.4:9996 -t maxlife=5m "not net em0_NET" pcap_compile("not net em0_NET"): unknown network 'em0_NET'

Created on Aug 18, 2011 5:14:57 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.