pmacct-discussion  

Re: [pmacct-discussion] Multiple interfaces and netflow

alex
Sun, 18 May 2008 05:16:12 -0700

    Hi Jim,
    If you want to gather both in and out traffic you must use follow
instructions:

plugins: nfprobe
aggregate_filter: net 72.46.0.0/17

or more complex

plugins: nfprobe[in], nfprobe[out], nfprobe[all]
aggregate_filter[in]: dst net 72.46.0.0/17
aggregate_filter[out]: src net 72.46.0.0/17
aggregate_filter[all]: net 72.46.0.0/17

    When you have both in and out traffic separately you can also use
'net' aggragation for accumulate them in common statistics (see docs, i
don't test that variant):

aggregate[all-1]: net, ...

    And there is sense to make aggregation on nfacctd, not on agents.
Agents will only collect necessary traffic for nfacctd.

    Alex


> Hi Alex and thank you very much for the reply.  I went through your 
>posting carefully and experimented with your configurations, but I can't 
>seem to make this work.  The flow coming out of the nfprobe plugin still 
>seems to indicate that all traffic is inbound.  Were you able to get 
>pmacctd to generate either netflow or sflow that reports both in and out 
>traffic?
> 
> Thanks...
> Jim
> 
>>     See my letter from 23 Apr 2008 with theme 'best practice (additional
>> examples)'. It have attached my personal config.
>>
>>     Alex
>>
>>
>>> Hi All...
>>>
>>> I'm wondering if there are any docs or samples for configuring the
>>> netflow  and/or sflow plugins, beyond what accompanies the distribution
>>> of pmacct?  I'm still having the issue below.
>>>
>>> It seems that the plugins combine the in and out data together, and the
>>> flow collector can not separate it.  I must be configuring it wrong.
>>> Here  is the conf I have been experimenting with:
>>>
>>> ! pmacctd configuration
>>> !
>>> !
>>> !
>>> daemonize: false
>>> !debug: true
>>> interface: eth0
>>> plugins: nfprobe[out], nfprobe[in]
>>> !plugins: print[in], print[out]
>>> !plugins: memory[in], memory[out]
>>> !
>>> aggregate[in]: src_host, src_port, dst_host, dst_port, proto, flows, tos
>>> !aggregate_filter[in]: net 72.46.0.0/17
>>> nfprobe_receiver[in]: 72.46.65.58:9996
>>> nfprobe_version: 9
>>> !
>>> aggregate[out]: src_host, src_port, dst_host, dst_port, proto, flows, tos
>>> !aggregate_filter[out]: net 72.46.0.0/17
>>> nfprobe_receiver[out]: 72.46.65.58:9996
>>> nfprobe_version: 9
>>> !
>>>
>>> Any hints, please?

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists