pmacct-discussion  

Re: [pmacct-discussion] nfprobe and nfacctd

Alexander 'Leo' Bergolth
Wed, 06 Feb 2008 02:58:19 -0800

On 02/04/2008 01:20 PM, Paolo Lucente wrote:
> On Sun, Feb 03, 2008 at 12:55:00PM +0100, Alexander 'Leo' Bergolth wrote:
> 
>> aggregate[inbound]: dst_host, dst_port
>>
>> Using this configuration, I'd expect the netflow packets to contain only 
>> 0.0.0.0 as src_host and src_port.
>> However printing those packets with flow-tools, shows the following results:
>> -------------------- 8< --------------------
>> # flow-receive -V5 0/0/2100 | flow-print -f3 -l
>> srcIP            dstIP            prot  srcPort  dstPort  octets 
>> packets
>> 203.68.227.15    192.168.60.233   17    0        0        46          1
>> 216.73.86.106    195.202.144.148  6     80       0        2964        10
>> 91.65.194.94     195.202.144.148  17    0        0        395         1
>> 91.65.194.94     192.168.60.102   17    0        0        395         1
>> [...]
>> -------------------- 8< --------------------
>>
>> The left hand side contains arbitrary ip addresses, which IMHO shouldn't 
>> be there since I've already been aggregating at the probe.
>> Will I have to aggregate traffic again at the collector, if it has 
>> already been aggregated in a suitable format on the probe side?
> 
> It really depends on the NetFlow version you are exporting the flows. In
> fact NetFlow v5 doesn't support aggregation at all, ie. the flow structure
> doesn't include a packets counter field. NetFlow v9 solves this issue and
> you should be able to verify it by appending to your config the following
> line:
> 
> nfprobe_version[inbound]: 9

OK, I've tried version 9 now with the following aggregation directives, 
but I'm still getting multiple flows for different foreign (src_host) 
hosts and one local (dst_host) host...

aggregate_filter[inbound]: dst net 192.168.0.0/16 and not src net 
192.168.0.0/16 and src port 80
aggregate[inbound]: dst_host, src_port, proto

-------------------- 8< --------------------
DEBUG ( inbound/nfprobe ): ADD FLOW seq:1 [89.149.217.215]:80 <> 
[192.168.60.4]:0 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:2 [89.149.217.214]:80 <> 
[192.168.60.101]:0 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:3 [62.146.108.150]:80 <> 
[192.168.60.4]:0 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:4 [62.146.108.150]:80 <> 
[192.168.60.101]:0 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:5 [80.240.229.101]:80 <> 
[192.168.60.4]:0 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:6 [192.168.60.101]:0 <> 
[194.232.104.21]:80 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:7 [80.240.229.101]:80 <> 
[192.168.60.103]:0 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:8 [192.168.60.101]:0 <> 
[194.232.105.164]:80 proto:6
DEBUG ( inbound/nfprobe ): ADD FLOW seq:9 [192.168.60.101]:0 <> 
[213.90.74.22]:80 proto:6
-------------------- 8< --------------------

Any hints?

Thanks,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu-wien.ac.at
fax      ::: +43-1-31336-906050
location ::: Computer Center | Vienna University of Economics | Austria


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists