Hi Raphael, looks like the field "direction" is not set in your netflow v? data.
Depending on your devices that export the netflow data another way may be to export ingress and egress to different collector instances. I can't say anything to the sql_plugin setup... Regards, Mario > -----Original Message----- > From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] > On Behalf Of Raphael Mazelier > Sent: Dienstag, 24. Juni 2014 13:01 > To: pmacct-discussion@pmacct.net > Subject: Re: [pmacct-discussion] Splitting In and Out traffic, and others > questions > > Hi Mario, > > I try a pretag.map like this : > > set_tag=100 ip=0.0.0.0/0 direction=0 > set_tag=200 ip=0.0.0.0/0 direction=1 > > Unfortunately that did not work as expected :/ > > All my flow are tagged 100 (in) and so injected in my in table. > > It's strange because quoting Paolo from another thread > > > You can use pre-tagging (pre_tag_map) to do it. How simple or how tricky > > this is depends on the NetFlow version and exporter: 1) NetFlow v9 and > IPFIX > > have a direction field (0 = ingress, 1 = egress) > > This is exactly what I wanted. > > To my other point, adding tag field in aggregate directive solve my > problem. This value is correctly reported to the "agent_id" sql column. > > btw, I ve read in the changelog that the "agent_id" column was renamed > by "tag" in the last version. > > > SQL plugins: agent_id, agent_id2 fields renamed to tag, tag2. Issued SQL > > table schema #9 for agent_id backward compatibility. Renaming > agent_id2 > > to tag2 is going to be disruptive to existing deployments instead. > > So I am supposed to use v9 sql schema ? (I think tag is far more clear > than agent_id). > > Thks. > > > Le 24/06/2014 10:32, Jentsch, Mario a écrit : > > Hey Raphael, > > > > we use the 1st tag to distinguish ingress and egress of IPv4 and IPv6: > > > > ! tag=1 - inbound IPv4 traffic > > ! tag=2 - outbound IPv4 traffic > > ! tag=3 - inbound IPv6 traffic > > ! tag=4 - outbound IPv6 traffic > > ! > > set_tag=1 ip=0.0.0.0/0 direction=0 filter='ip' > > set_tag=2 ip=0.0.0.0/0 direction=1 filter='ip' > > set_tag=3 ip=0.0.0.0/0 direction=0 filter='ip6' > > set_tag=4 ip=0.0.0.0/0 direction=1 filter='ip6' > > set_tag=0 ip=0.0.0.0/0 > > ! > > > > This may also work for your setup... > > > > Regards, > > Mario > > > >> -----Original Message----- > >> From: pmacct-discussion [mailto:pmacct-discussion- > boun...@pmacct.net] > >> On Behalf Of Raphael Mazelier > >> Sent: Montag, 23. Juni 2014 14:31 > >> To: pmacct-discussion@pmacct.net > >> Subject: [pmacct-discussion] Splitting In and Out traffic, and others > questions > >> > >> Hi Paolo, All, > >> > >> First I would thank you Paolo for this great piece of software ! > >> Thanks to my predecessor (hi Pym) I already have a working pmacctd > >> installation which doing accounting on my network :) > >> > >> I have some questions tough : > >> > >> I have enabled inbound accounting in my network. > >> I want to distinguish in and out traffic. > >> For now I make something like this, using pre_tag filter : > >> > >> # more /etc/pmacct/pretag.map > >> set_tag=100 ip=158.58.176.2 in=527 > >> set_tag=100 ip=158.58.176.2 in=528 > >> set_tag=100 ip=158.58.176.2 in=530 > >> ... > >> > >> set_tag=200 ip=158.58.176.2 out=527 > >> set_tag=200 ip=158.58.176.2 out=528 > >> set_tag=200 ip=158.58.176.2 out=530 > >> ... > >> > >> # more /etc/pmacct/nfacctd.conf > >> > >> ... > >> pre_tag_filter[in_hour]: 100 > >> pre_tag_filter[out_hour]: 200 > >> ... > >> > >> ! sql outbound by hour > >> sql_refresh_time[out_hour]: 300 > >> sql_history[out_hour]: 5m > >> sql_history_roundoff[out_hour]: m > >> sql_table[out_hour]: netflow_out_hour_%Y%m%d_%H > >> sql_table_schema[out_hour]: /etc/pmacct/netflow_out_hour.schema > >> > >> ! sql inbound by hour > >> sql_refresh_time[in_hour]: 300 > >> sql_history[in_hour]: 5m > >> sql_history_roundoff[in_hour]: m > >> sql_table[in_hour]: netflow_in_hour_%Y%m%d_%H > >> sql_table_schema[in_hour]: /etc/pmacct/netflow_in_hour.schema > >> > >> > >> It's working well, but I wonder if it exists another, more clear/simpler > >> method ? because I have to maintain the pretag.map. > >> Or perhaps I could mix In an Out flux in the sql table (but make the > >> table much bigger). > >> > >> Side question about pretag filter ? the "tag" field in sql is always at > >> '0' ? This is not blocking but I wonder why ? > >> > >> Another question about BGP src_as and dst_as fields : > >> Depending on the direction the src_as or the dst_as are correclty > >> filled, but not the other which is always '0' ? I would assume that it > >> will be my As number ? Should I have to deal with network filter ? > >> > >> > >> I have many other questions, but for now I think that is sufficient :) > >> > >> best, > >> > >> > >> -- > >> Raphael Mazelier > >> AS39605 > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> _______________________________________________ > >> pmacct-discussion mailing list > >> http://www.pmacct.net/#mailinglists > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
