Bug #14747
closed
softflowd sending same data with different snmp versions
0%
Description
My environment:
SG-4100 23.05.1, packages up to date and System patches applied.
sotflowd running on LAN, WIFI and MGMT interfaces only.
Graylog version 5.1.4 | mongodb 6.0.8 | elasticsearch 7.10.2 | Input NetFlow UDP
What I'm trying to do:
I'm sending Netflow data from pfSense (softflowd) to a Graylog server.
I'm using Graylog to sum the amount of data passed through an interface, to get a list of top Talkers in a determined time frame.
What I observed:
I noticed that the sum in Graylog is not matching the data because the same flow is sent sometimes twice, sometimes three times.
What differs from these sent flows from softflowd to Graylog are the nf_input_snmp, nf_snmp_output and nf_flow_packet_id fields.
Here are the three flows expanded in details:
I've been trying to see if there is a pattern here, and it seems that: (take the statement below with a grain of salt).
Intervlan traffic is sent three times, with all the snmp versions.
Traffic from LAN to WAN, or WIFI to WAN, or MGMT to WAN is sent twice, with SNMP versions 2 and 3 only.
Files
| clipboard-202309041446-etky4.png (64.1 KB) clipboard-202309041446-etky4.png | one flow sent three times with diff snmp versions |
Updated by 
Updated by