We're trying to use nfacctd version 1.5.0rc2 to classify groups of traffic based on ip ranges within our network. We have Juniper routers configured with inline jflow. During a consistentcy test we discovered some traffic was missing.
In the example below we list all our networks in a filter. We tag 612 or 613 for inbound traffic, and tag 712 or 713 for outbound traffic. We see that traffic within our address block gets tagged with 901 or 902. This traffic either originates from or is destined to the listed blocks. Are there any reason why the filter shouldn't match this traffic? We also use nfacctd for replication in transparent mode in front of this instance. Our nfacctd.conf: nfacctd_port: 2102 nfacctd_ip: 0.0.0.0 nfacctd_time_new: true plugin_buffer_size: 10240 plugin_pipe_size: 1024000 pre_tag_map: pretag.conf plugins: print[dummy] pre_tag_filter[dummy]: 900-1000 print_refresh_time[dummy]: 10 aggregate[dummy]: tag,in_iface,out_iface,src_host,dst_host,src_as,dst_as Our pretag.conf: set_tag=612 ip=192.0.2.12 filter='dst net 198.51.100.0/24 or dst net 203.0.113.0/24 or dst net 192.0.2.0/24' set_tag=712 ip=192.0.2.12 filter='src net 198.51.100.0/24 or src net 203.0.113.0/24 or src net 192.0.2.0/24' set_tag=613 ip=192.0.2.13 filter='dst net 198.51.100.0/24 or dst net 203.0.113.0/24 or dst net 192.0.2.0/24' set_tag=713 ip=192.0.2.13 filter='src net 198.51.100.0/24 or src net 203.0.113.0/24 or src net 192.0.2.0/24' set_tag=901 ip=192.0.2.12 set_tag=902 ip=192.0.2.13 set_tag=999 ip=0.0.0.0/0 -- Kind regards, Martin Topholm
pgpPBZdmdTNqi.pgp
Description: PGP signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists