[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: dup-to problem with specific packets



On 4/14/05, Michael W. Lucas <[email protected]> wrote:
> On Wed, Apr 13, 2005 at 07:55:22PM +0100, Kimi Ostro wrote:
> > On 4/11/05, Michael W. Lucas <[email protected]> wrote:
> > > Hi,
> > >
> > > I'm trying to duplicate packets matching one particular rule.
> > >
> > > Background: I have softflowd running on OpenBSD 3.5 i386.  This is
> > > exporting flows to a logging host.  Works beautifully.
> > >
> > > The old logging host is being replaced.  I would like to run the two
> > > logging hosts in parallel temporarily, until I'm sure all the bugs are
> > > out of the new one.
> > >
> > > While I could fire up a second instance of softflowd, it seems like
> > > this would be a good application of dup-to.  I don't want to duplicate
> > > the entire mass of traffic going through this box, just the netflow
> > > packets.
> > >
> > > pass out on $int_if proto udp from any to a.b.c.251 port 8641 dup-to ($int_if a.b.c.252)
> > >
> > Should probably read:
> > pass out on $int_if proto udp from any to a.b.c.251 port 8641 (dup-to a.b.c.252)
> 
> Thanks, but that doesn't do it either.  :-(  Any other suggestions?
> 
> The rule parses perfectly if I put a # sign right before the dup-to,
> so I know the rest of it is correct.
> 
> I'm sending this duplicate out via the same interface as the original
> packet, could that be the problem?  The samples tend to show people
> dumping traffic over a different NIC, but that won't work in this
> case.  Since netflow transmission is stateless I wasn't expecting any
> sort of trouble, but I freely admit that lots of people here know more
> than I do.  :-)
> 
> ==ml
> 
> --
> Michael W. Lucas        [email protected], [email protected]
>                 http://www.BlackHelicopters.org/~mwlucas/
>                Latest book: Cisco Routers for the Desperate
>                 http://www.CiscoRoutersForTheDesperate.com
> 
After doing a little more reading, the syntax is wrong on our parts, try:
pass out on $int_if dup-to ($int_if a.b.c.252) proto udp from any to
a.b.c.251 port 8641
Kimi
-- 
spamassassinexception