Hello,

If you wish to account with ipt-netflow module traffic mirrored on switch you may follow
 one of these examples:


   Solution 1: Promisc-hack module option. [2014]
   Solution 2: General kernel patch. [2008]
   Solution 3: Alternative w/o kernel patch, using bridges. [2010]


    **************
    * Solution 1 *
    **************

   No kernel patching is need anymore! (As in easy.)

   Compile module with `./configure --enable-promisc' option. This will enable
  `promisc=' module parameter and sysctl parameter `net.netflow.promisc'.
  Set any of these to `1' to enable promisc hack, you will see dmesg message
  that it's enabled, set to `0' to disable (default).

   This option turned on will pass promisc traffic into `PREROUTING' chain
  of `raw' table (same as with promisc patches). Briefly it's like this:

   # cd ipt-netflow/
   # ./configure --enable-promisc
   # make all install
   # iptables -A PREROUTING -t raw -i eth2 -j NETFLOW
   # sysctl net.netflow.promisc=1
   # ifconfig eth2 promisc
   # grep Promisc /proc/net/stat/ipt_netflow

   Now you should be able to see promisc observed packets count increasing.

   Note, that enabling module's parameter promisc=1 will not enable promiscuous
  mode on network cards, these are completely different things. This option will
  let iptables to see promisc traffic. That traffic will not be routed anywhere
  and discarded just after passing PREROUTING chain.

   Do not enable this option if you have kernel already patched with promisc
  patch, as this may cause double accounting. Just keep it disabled or remove
  the patch. Promisc patching is completely custom and non-standard, so if you
  did not apply it - you are most probably safe to use promisc option. But, if
  in doubt - measure if module seeing traffic in raw/PREROUTING, if it isn't - you
  don't have the patch applied and certainly safe to use the option.



    **************
    * Solution 2 *
    **************

1. Patch your kernel with `raw_promisc.patch' to enable raw table to see promisc traffic.

 # cd /usr/src/linux
 # patch -p1 < ~/ipt_netflow/raw_promisc.patch

 Then recompile and reinstall patched kernel.

2. For example you mirroring traffic on your Cisco switch to 47th vlan:

 # interface FastEthernet0/32
 # description this port with vlan 47
 # switchport trunk encapsulation dot1q
 # switchport mode trunk
 # !
 # interface FastEthernet0/33
 # port monitor FastEthernet0/32
 # !

3. Enable promisc mode on interface to actually see the packets:

 # /sbin/ifconfig eth1 promisc

4. Configure vlan on your linux box:

 # /sbin/vconfig add eth1 47
 # /sbin/ifconfig eth1.47 up

5. Compile module:

 # make clean all install

6. Load ipt_netflow module:

 # /sbin/modprobe ipt_NETFLOW hashsize=160000 destination=127.0.0.1:9800

7. Direct all packets from 47th vlan to ipt_netflow module:

 # /sbin/iptables -A PREROUTING -t raw -i eth1.47 -j NETFLOW

Voila.

ps. For Debian Squeeze instructions look at raw_promisc_debian_squeeze6.patch



    **************
    * Solution 3 *
    **************

By Anonymous.

> raw promisc hack is not needed
> there is a more elegant way to capture port mirrored traffic:
>
> 1. create a bridge of eth0 and dummy0
> 2. put eth0 to promisc
> 3. add a "-i br0 -j NETFLOW" rule to FORWARD (possibly also -j DROP after that)
>
> ...for some reason it works when ipt_netflow is attached to a bridge, but
> requires the promisc hack when attached to a real promisc interface.

Sometimes you may need to run:

 # brctl setageing br0 0

for this scheme to work.