Hi Mario,
I try a pretag.map like this :
set_tag=100 ip=0.0.0.0/0 direction=0
set_tag=200 ip=0.0.0.0/0 direction=1
Unfortunately that did not work as expected :/
All my flow are tagged 100 (in) and so injected in my in table.
It's strange because quoting Paolo from another thread
You can use pre-tagging (pre_tag_map) to do it. How simple or how tricky
this is depends on the NetFlow version and exporter: 1) NetFlow v9 and IPFIX
have a direction field (0 = ingress, 1 = egress)
This is exactly what I wanted.
To my other point, adding tag field in aggregate directive solve my
problem. This value is correctly reported to the "agent_id" sql column.
btw, I ve read in the changelog that the "agent_id" column was renamed
by "tag" in the last version.
SQL plugins: agent_id, agent_id2 fields renamed to tag, tag2. Issued SQL
table schema #9 for agent_id backward compatibility. Renaming agent_id2
to tag2 is going to be disruptive to existing deployments instead.
So I am supposed to use v9 sql schema ? (I think tag is far more clear
than agent_id).
Thks.
Le 24/06/2014 10:32, Jentsch, Mario a écrit :
Hey Raphael,
we use the 1st tag to distinguish ingress and egress of IPv4 and IPv6:
! tag=1 - inbound IPv4 traffic
! tag=2 - outbound IPv4 traffic
! tag=3 - inbound IPv6 traffic
! tag=4 - outbound IPv6 traffic
!
set_tag=1 ip=0.0.0.0/0 direction=0 filter='ip'
set_tag=2 ip=0.0.0.0/0 direction=1 filter='ip'
set_tag=3 ip=0.0.0.0/0 direction=0 filter='ip6'
set_tag=4 ip=0.0.0.0/0 direction=1 filter='ip6'
set_tag=0 ip=0.0.0.0/0
!
This may also work for your setup...
Regards,
Mario
-----Original Message-----
From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net]
On Behalf Of Raphael Mazelier
Sent: Montag, 23. Juni 2014 14:31
To: pmacct-discussion@pmacct.net
Subject: [pmacct-discussion] Splitting In and Out traffic, and others questions
Hi Paolo, All,
First I would thank you Paolo for this great piece of software !
Thanks to my predecessor (hi Pym) I already have a working pmacctd
installation which doing accounting on my network :)
I have some questions tough :
I have enabled inbound accounting in my network.
I want to distinguish in and out traffic.
For now I make something like this, using pre_tag filter :
# more /etc/pmacct/pretag.map
set_tag=100 ip=158.58.176.2 in=527
set_tag=100 ip=158.58.176.2 in=528
set_tag=100 ip=158.58.176.2 in=530
...
set_tag=200 ip=158.58.176.2 out=527
set_tag=200 ip=158.58.176.2 out=528
set_tag=200 ip=158.58.176.2 out=530
...
# more /etc/pmacct/nfacctd.conf
...
pre_tag_filter[in_hour]: 100
pre_tag_filter[out_hour]: 200
...
! sql outbound by hour
sql_refresh_time[out_hour]: 300
sql_history[out_hour]: 5m
sql_history_roundoff[out_hour]: m
sql_table[out_hour]: netflow_out_hour_%Y%m%d_%H
sql_table_schema[out_hour]: /etc/pmacct/netflow_out_hour.schema
! sql inbound by hour
sql_refresh_time[in_hour]: 300
sql_history[in_hour]: 5m
sql_history_roundoff[in_hour]: m
sql_table[in_hour]: netflow_in_hour_%Y%m%d_%H
sql_table_schema[in_hour]: /etc/pmacct/netflow_in_hour.schema
It's working well, but I wonder if it exists another, more clear/simpler
method ? because I have to maintain the pretag.map.
Or perhaps I could mix In an Out flux in the sql table (but make the
table much bigger).
Side question about pretag filter ? the "tag" field in sql is always at
'0' ? This is not blocking but I wonder why ?
Another question about BGP src_as and dst_as fields :
Depending on the direction the src_as or the dst_as are correclty
filled, but not the other which is always '0' ? I would assume that it
will be my As number ? Should I have to deal with network filter ?
I have many other questions, but for now I think that is sufficient :)
best,
--
Raphael Mazelier
AS39605
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
