Hi Mario,
Well I'm using inline ipfix from Juniper.
Reading the juniper doc it seems that the ipv4-template does not include
'direction' field.
I will stay with my current solution, using interface in and out.
Regards,
Le 24/06/2014 13:42, Jentsch, Mario a écrit :
Hi Raphael,
looks like the field "direction" is not set in your netflow v? data.
Depending on your devices that export the netflow data another way may be to
export ingress and egress to different collector instances.
I can't say anything to the sql_plugin setup...
Regards,
Mario
-----Original Message-----
From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net]
On Behalf Of Raphael Mazelier
Sent: Dienstag, 24. Juni 2014 13:01
To: pmacct-discussion@pmacct.net
Subject: Re: [pmacct-discussion] Splitting In and Out traffic, and others
questions
Hi Mario,
I try a pretag.map like this :
set_tag=100 ip=0.0.0.0/0 direction=0
set_tag=200 ip=0.0.0.0/0 direction=1
Unfortunately that did not work as expected :/
All my flow are tagged 100 (in) and so injected in my in table.
It's strange because quoting Paolo from another thread
You can use pre-tagging (pre_tag_map) to do it. How simple or how tricky
this is depends on the NetFlow version and exporter: 1) NetFlow v9 and
IPFIX
have a direction field (0 = ingress, 1 = egress)
This is exactly what I wanted.
To my other point, adding tag field in aggregate directive solve my
problem. This value is correctly reported to the "agent_id" sql column.
btw, I ve read in the changelog that the "agent_id" column was renamed
by "tag" in the last version.
SQL plugins: agent_id, agent_id2 fields renamed to tag, tag2. Issued SQL
table schema #9 for agent_id backward compatibility. Renaming
agent_id2
to tag2 is going to be disruptive to existing deployments instead.
So I am supposed to use v9 sql schema ? (I think tag is far more clear
than agent_id).
Thks.
Le 24/06/2014 10:32, Jentsch, Mario a écrit :
Hey Raphael,
we use the 1st tag to distinguish ingress and egress of IPv4 and IPv6:
! tag=1 - inbound IPv4 traffic
! tag=2 - outbound IPv4 traffic
! tag=3 - inbound IPv6 traffic
! tag=4 - outbound IPv6 traffic
!
set_tag=1 ip=0.0.0.0/0 direction=0 filter='ip'
set_tag=2 ip=0.0.0.0/0 direction=1 filter='ip'
set_tag=3 ip=0.0.0.0/0 direction=0 filter='ip6'
set_tag=4 ip=0.0.0.0/0 direction=1 filter='ip6'
set_tag=0 ip=0.0.0.0/0
!
This may also work for your setup...
Regards,
Mario
-----Original Message-----
From: pmacct-discussion [mailto:pmacct-discussion-
boun...@pmacct.net]
On Behalf Of Raphael Mazelier
Sent: Montag, 23. Juni 2014 14:31
To: pmacct-discussion@pmacct.net
Subject: [pmacct-discussion] Splitting In and Out traffic, and others
questions
Hi Paolo, All,
First I would thank you Paolo for this great piece of software !
Thanks to my predecessor (hi Pym) I already have a working pmacctd
installation which doing accounting on my network :)
I have some questions tough :
I have enabled inbound accounting in my network.
I want to distinguish in and out traffic.
For now I make something like this, using pre_tag filter :
# more /etc/pmacct/pretag.map
set_tag=100 ip=158.58.176.2 in=527
set_tag=100 ip=158.58.176.2 in=528
set_tag=100 ip=158.58.176.2 in=530
...
set_tag=200 ip=158.58.176.2 out=527
set_tag=200 ip=158.58.176.2 out=528
set_tag=200 ip=158.58.176.2 out=530
...
# more /etc/pmacct/nfacctd.conf
...
pre_tag_filter[in_hour]: 100
pre_tag_filter[out_hour]: 200
...
! sql outbound by hour
sql_refresh_time[out_hour]: 300
sql_history[out_hour]: 5m
sql_history_roundoff[out_hour]: m
sql_table[out_hour]: netflow_out_hour_%Y%m%d_%H
sql_table_schema[out_hour]: /etc/pmacct/netflow_out_hour.schema
! sql inbound by hour
sql_refresh_time[in_hour]: 300
sql_history[in_hour]: 5m
sql_history_roundoff[in_hour]: m
sql_table[in_hour]: netflow_in_hour_%Y%m%d_%H
sql_table_schema[in_hour]: /etc/pmacct/netflow_in_hour.schema
It's working well, but I wonder if it exists another, more clear/simpler
method ? because I have to maintain the pretag.map.
Or perhaps I could mix In an Out flux in the sql table (but make the
table much bigger).
Side question about pretag filter ? the "tag" field in sql is always at
'0' ? This is not blocking but I wonder why ?
Another question about BGP src_as and dst_as fields :
Depending on the direction the src_as or the dst_as are correclty
filled, but not the other which is always '0' ? I would assume that it
will be my As number ? Should I have to deal with network filter ?
I have many other questions, but for now I think that is sufficient :)
best,
--
Raphael Mazelier
AS39605
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
