We're trying to use nfacctd version 1.5.0rc2 to classify groups of
traffic based on ip ranges within our network. We have Juniper routers
configured with inline jflow. During a consistentcy test we discovered
some traffic was missing.

In the example below we list all our networks in a filter. We tag 612
or 613 for inbound traffic, and tag 712 or 713 for outbound traffic. We
see that traffic within our address block gets tagged with 901 or 902.

This traffic either originates from or is destined to the listed blocks.
Are there any reason why the filter shouldn't match this traffic?

We also use nfacctd for replication in transparent mode in front of
this instance.

Our nfacctd.conf:

    nfacctd_port: 2102
    nfacctd_ip: 0.0.0.0
    nfacctd_time_new: true

    plugin_buffer_size: 10240
    plugin_pipe_size: 1024000
    pre_tag_map: pretag.conf
    plugins: print[dummy]
    pre_tag_filter[dummy]: 900-1000
    print_refresh_time[dummy]: 10
    aggregate[dummy]: tag,in_iface,out_iface,src_host,dst_host,src_as,dst_as

Our pretag.conf:

    set_tag=612 ip=192.0.2.12 filter='dst net 198.51.100.0/24 or dst net 
203.0.113.0/24 or dst net 192.0.2.0/24'
    set_tag=712 ip=192.0.2.12 filter='src net 198.51.100.0/24 or src net 
203.0.113.0/24 or src net 192.0.2.0/24'
    set_tag=613 ip=192.0.2.13 filter='dst net 198.51.100.0/24 or dst net 
203.0.113.0/24 or dst net 192.0.2.0/24'
    set_tag=713 ip=192.0.2.13 filter='src net 198.51.100.0/24 or src net 
203.0.113.0/24 or src net 192.0.2.0/24'
    set_tag=901 ip=192.0.2.12
    set_tag=902 ip=192.0.2.13
    set_tag=999 ip=0.0.0.0/0

-- 
Kind regards,
Martin Topholm

Attachment: pgpPBZdmdTNqi.pgp
Description: PGP signature

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to