pmacct-discussion  

Re: [pmacct-discussion] Problems debugging netflow handling

Inge Bjørnvall Arnesen
Thu, 05 Jun 2008 08:00:21 -0700

Hi Alex,

Ah - yes - shorter lines - good idea! As for tcpdump'ing, I've done that and I 
see the netflow packets and that they contain reports for the 79.171.80.0/21 
network (intermingled with reports on the other networks), so I know they 
arrive safe and sound to granny Nfacct's house. It's from arrival on port 
2100/UDP and onwards where I'm kind of lost on how to debug.

All the best,

-- I.

-----Original Message-----
From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of alex
Sent: 5. juni 2008 16:54
To: pmacct-discussion@pmacct.net
Subject: Re: [pmacct-discussion] Problems debugging netflow handling

   Hi Inge,
   Sorry, i can only advise to change:

dst net 81.93.160.0/20 or dst net 79.171.80.0/21 or dst net 195.225.0.0/19

   on:

dst net ( 81.93.160.0/20 or 79.171.80.0/21 or 195.225.0.0/19 )

   and for src net also.
   You can also start tcpdump and listen what you have on your interfaces
(where sfacctd are working).


   Alex


> Hi all,
> 
> 
> 
> I've been running pmacct with both memory and mysql backend for some time 
>and it has worked very well. I use pretag.map for filtering and as the 
>number of address ranges have increased, I've added to these rules. When I 
>added our third address range, however, none of the flows reported for this 
>range ends up in the memory or mysql databases and as far as I can see, 
>these are reported by our routers in the same way as all the others (same 
>routers, same interfaces, same scaling, same everything). Basically, I 
>don't know how to debug this problem. My pretag file is structured like 
>this (it is much larger with more interfaces and routers):
> 
> 
> 
> id=1039 ip=81.93.172.80         in=39 filter='dst net 81.93.160.0/20 or 
>dst net 79.171.80.0/21 or dst net 195.225.0.0/19' sampling_rate=1000
> 
> id=1040 ip=81.93.172.80         in=40 filter='dst net 81.93.160.0/20 or 
>dst net 79.171.80.0/21 or dst net 195.225.0.0/19' sampling_rate=1000
> 
> 
> 
> id=2039 ip=81.93.172.80         out=39 filter='src net 81.93.160.0/20 or 
>src net 195.225.0.0/19 or src net 79.171.80.0/21' sampling_rate=1000
> 
> id=2040 ip=81.93.172.80         out=40 filter='src net 81.93.160.0/20 or 
>src net 195.225.0.0/19 or src net 79.171.80.0/21' sampling_rate=1000
> 
> 
> 
> I have verified that the ranges 81.93.160.0/20 and 195.225.0.0/19 are 
>working well, but not a single entry has been created associated with the 
>79.171.80.0/21 network. As seen from the above snippet I have tried 
>variations of the sequence of networks in the filter string, but that does 
>not matter. Also, the IDs used for the other nets are the same, so the IDs 
>are thus properly set up in the pmacctd.conf file. How can I go about 
>debugging this on a live system?  Maybe I'm just blind to the obvious - 
>that has happened before... many times.
> 
> All the best,
> 
> -- Inge
                


------
Так много можно сказать! Так мало нужно платить! Абоненты тарифных планов 
'Свои люди' и 'Люблю поговорить' говорят внутри сети 'БеСТ' всего от 
10 рублей за минуту разговора. Подробности на сайте http://www.best.by.


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists