Hi Martin, To clarify: no traffic at all, both originated from and delivered to your address blocks listed, gets tagged with 612/613/712/713. Correct? Or some is and some is not?
Any chance the traffic is VLAN-tagged and/or MPLS-labelled and VLAN tag and/or MPLS labels are exposed to pmacct via IPFIX? In such a case you should reflect this in the filter, ie. 'vlan and ...', 'mpls and ...' or 'vlan and mpls and ...'. Otherwise feel free to send me privately a brief capture of your IPFIX traffic so to better understand what is the issue. Cheers, Paolo On Fri, Jan 10, 2014 at 03:20:58PM +0100, Martin Topholm wrote: > We're trying to use nfacctd version 1.5.0rc2 to classify groups of > traffic based on ip ranges within our network. We have Juniper routers > configured with inline jflow. During a consistentcy test we discovered > some traffic was missing. > > In the example below we list all our networks in a filter. We tag 612 > or 613 for inbound traffic, and tag 712 or 713 for outbound traffic. We > see that traffic within our address block gets tagged with 901 or 902. > > This traffic either originates from or is destined to the listed blocks. > Are there any reason why the filter shouldn't match this traffic? > > We also use nfacctd for replication in transparent mode in front of > this instance. > > Our nfacctd.conf: > > nfacctd_port: 2102 > nfacctd_ip: 0.0.0.0 > nfacctd_time_new: true > > plugin_buffer_size: 10240 > plugin_pipe_size: 1024000 > pre_tag_map: pretag.conf > plugins: print[dummy] > pre_tag_filter[dummy]: 900-1000 > print_refresh_time[dummy]: 10 > aggregate[dummy]: tag,in_iface,out_iface,src_host,dst_host,src_as,dst_as > > Our pretag.conf: > > set_tag=612 ip=192.0.2.12 filter='dst net 198.51.100.0/24 or dst net > 203.0.113.0/24 or dst net 192.0.2.0/24' > set_tag=712 ip=192.0.2.12 filter='src net 198.51.100.0/24 or src net > 203.0.113.0/24 or src net 192.0.2.0/24' > set_tag=613 ip=192.0.2.13 filter='dst net 198.51.100.0/24 or dst net > 203.0.113.0/24 or dst net 192.0.2.0/24' > set_tag=713 ip=192.0.2.13 filter='src net 198.51.100.0/24 or src net > 203.0.113.0/24 or src net 192.0.2.0/24' > set_tag=901 ip=192.0.2.12 > set_tag=902 ip=192.0.2.13 > set_tag=999 ip=0.0.0.0/0 > > -- > Kind regards, > Martin Topholm > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
