I found an open source tool Graylog which can collect and analyze syslog, netflow and etc.
So I decided to configure pfsense to send syslog to this tool and everything looks good.
Next I installed softflowd package to export netflow data. Configured it to export netflow v9.
Now then I try to analyze the data I would like to see the traffic and I found nf_bytes field and nf_in_bytes. For my understanding nf_bytes shows total traffic, nf_in_bytes shows in direction traffic, and there is missing nf_out_bytes
Or maybe nf_bytes field show out traffic and nf_in_bytes shows in traffic.
The most interesting thing is that both fields are equal. After googling about out_bytes field in softflowd I found this post:
I still don’t understand why FreeBSD can’t send IN and OUT flows but this topic gave me an idea to make new fields nf_src_bytes and nf_dst_bytes depending on source and destination ip it should split the data i want.
I created two rules:
- If src_address contains 192.168.0.0/16 or 10.0.0.0/8 then copy nf_bytes to nf_dst_bytes
- If dst_address contains 192.168.0.0/16 or 10.0.0.0/8 then copy nf_bytes to nf_src_bytes
I thought it will sort things out but the results disappointed me.
Data is different on pfsense and Graylog.
Even more interesting is that nf_src_bytes and nf_dst_bytes are almost identical but comparing with pfsense traffic graphs it should not be.
Does anyone know why is this happening and how to fix it?
If i’m understanding things wrong can someone explain me the situation or give me some useful links