pmacct-discussion  

[pmacct-discussion] nfprobe and nfacctd

Alexander 'Leo' Bergolth
Sun, 03 Feb 2008 03:55:11 -0800

Hi!

I'm trying to configure a netflow probe and collector using 
pmacctd/nfprobe and nfacctd.

At the probe, I'm aggregating traffic on host and port, according to the 
FAQ (Q6) separated for inbound and outbound traffic. So far (for testing 
purposes) only the inbound plugin is active.

aggregate[inbound]: dst_host, dst_port

Using this configuration, I'd expect the netflow packets to contain only 
0.0.0.0 as src_host and src_port.
However printing those packets with flow-tools, shows the following results:
-------------------- 8< --------------------
# flow-receive -V5 0/0/2100 | flow-print -f3 -l
srcIP            dstIP            prot  srcPort  dstPort  octets 
packets
203.68.227.15    192.168.60.233   17    0        0        46          1
216.73.86.106    195.202.144.148  6     80       0        2964        10
91.65.194.94     195.202.144.148  17    0        0        395         1
91.65.194.94     192.168.60.102   17    0        0        395         1
[...]
-------------------- 8< --------------------

The left hand side contains arbitrary ip addresses, which IMHO shouldn't 
be there since I've already been aggregating at the probe.
Will I have to aggregate traffic again at the collector, if it has 
already been aggregated in a suitable format on the probe side?

Another question: If I enable the second probe plugin (outbound 
traffic), will I have to set different nfprobe_engine ids and types for 
each plugin and filter them into two sql-plugins using pre_tag_map on 
the collector-side?

Will there be any concurrent access problems when collecting incoming 
and outgoing traffic from different probes? (I'd like to use sqlite as a 
first shot.)

Btw: Allowing MAC aggregation for link type 113 would really be nice, 
since this link type (linux cooked, DLT_LINUX_SLL) is used not only for 
ppp but also for many other interfaces like the "any" interface on 
linux. See "man 3 pcap" for info in DLT_LINUX_SLL.

Cheers,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu-wien.ac.at
fax      ::: +43-1-31336-906050
location ::: Computer Center | Vienna University of Economics | Austria


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists