cancel
Showing results for 
Search instead for 
Did you mean: 
jspanitz
Level 7

Web Gateway Flow Data Support

I thought I asked this before but could not find it.  Is there support for flow (netflow, sflow, jflow, etc) data from MWG 7.x?  We really need this as a troubleshooting tool.

0 Kudos
3 Replies
brinkn
Level 9

Re: Web Gateway Flow Data Support


OK, I thought this was a pretty cool idea. 

/*Start Disclaimer

I did this with a lab setup, and Im pretty sure it could cause performance impacts, and void you warranty, and potentially bring about the end of the know universe.

End Disclaimer*/

Here is what I did:

Downloaded fprobe from: http://fprobe.sourceforge.net/

I compiled fprobe on a development box and copied the ./src/fprobe file to my webgateway v7.3 box.

I then started fprobe on the webgateway:

./fprobe -i INTERFACE_TO_MONITOR IP_OF_COLLECTOR:9995

Low and behold it started sending netflow.

Im sure there are a lot of other thnigs that can be done such as using fprobe-ulog, configuring fprobe to do multiple interfaces,  other formats, etc, but I figure this may get teh ball rolling any other people can throw out ideas as well.

0 Kudos
eelsasser
Level 15

Re: Web Gateway Flow Data Support

I started to do the same thing, but got sidetracked and never finished. So kudos, Nick, on getting further.

But as i thought about it, wouldn't the actual data that you are capturing only represent one flow from the client to the proxy, and another flow from the proxy to the site?

I suspect John is trying to get the end-to-end relationship between client IP and web server IP. I'm not so sure that  will happen, even in transparent bridge.

i don't know what raw netflow data looks like, so i am speculating.

0 Kudos
brinkn
Level 9

Re: Web Gateway Flow Data Support

I think you are right.  I have been contemplating this since reading the OP.  I cant see any solution where you can get a Netflow V9 type packet where you know what the NAT translation is.  I am not running a transparent proxy so I dont know how the host is configured in that scenario, but using an explicit proxy I assume the mwg process does the translation from interfaces and does not depend on iptables for the routing.  So in my scenario I am not giving anything more then what you would get from the nearest switch.

0 Kudos