Port Mirror Question

[jmilleriec]

So I've got a port mirror on my switch connected an ubuntu machine that is running the GoFlow docker container, its unclear to me how I might be able to have the packets coming in on that interface sent to the GoFlow collector. I'd love to be able to use GoFlow to monitor our networks with either a mirror or a tap.

Apologies if this isn't the appropriate place for this question.

I know the port mirror interface is working, TCPDump was seeing the appropriate packets coming through.

Any thoughts would be greatly appreciated.

Thanks, Jim

[lspgn]

Hi Jim, Unfortunately GoFlow does not capture raw packets. It only captures sFlow and NetFlow/IPFIX protocols, the former contains raw packet headers. You could eventually have something that pcap and convert to the protobuf but this is out of the scope of GoFlow (additionally, you may not be able to process a high volume of pps if GoFlow is not load-balanced). My suggestion would be for the switch to send samples using sFlow to a collector (or in the future in the GoFlow2 repository: IPFIX line monitoring). Or use something like hsflowd/nProbe on the machines that generate traffic and send it to GoFlow.

I would also advise using GoFlow2 which is more updated now.

[jmilleriec]

Really helpful, thank you so much, i've installed pmacct and I'm working on pushing that into goflow. I'll check into golfow2, i have been using nprode/ntopng, but was looking for an alternative and something that i could have more direct access to the data. Thanks again for your help...