Hello First of a big thanks to Paolo for a great tool.
I do have a question though.I can't get pmacct to show VLAN IDs of layer 2 flexible netflow records. I'm exporting from a Cisco 4500X switch.
VLAN field in nfacctd is always 0, though it is set correctly in exported flow packets. I'm not sure if I need to configure something or if support for this field needs to be coded in pmacct?
I have attached a sample PCAP that contains the Netflow template and a flow record.
This is my IOS config for flow record: flow record MemberP2P match datalink mac source address input match datalink mac destination address input match datalink ethertype match datalink dot1q vlan input match interface input collect interface output collect counter bytes long collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last Here is a debug output from nfacctd collector:# pmacct-1.5.0/src/nfacctd -d -L a.b.c.d -l 1555 -P print -r 10 -c src_mac,dst_mac,etype,vlan
DEBUG ( cmdline ): plugin name/type: 'default'/'core'. DEBUG ( cmdline ): plugin name/type: 'default'/'print'. DEBUG ( cmdline ): debug:true DEBUG ( cmdline ): nfacctd_ip:a.b.c.d DEBUG ( cmdline ): nfacctd_port:1555 DEBUG ( cmdline ): sql_refresh_time:10 DEBUG ( cmdline ): aggregate:src_mac,dst_mac,etype,vlan INFO ( default/core ): Reading configuration from cmdline.INFO ( default/print ): plugin_pipe_size=4096000 bytes plugin_buffer_size=200 bytes INFO ( default/print ): ctrl channel: obtained=212992 bytes target=163840 bytes
INFO ( default/core ): waiting for NetFlow data on a.b.c.d:1555DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown template 256 [e.f.g.h:0])
DEBUG ( default/core ): NfV9 agent : e.f.g.h:0 DEBUG ( default/core ): NfV9 template type : flow DEBUG ( default/core ): NfV9 template ID : 256DEBUG ( default/core ): ----------------------------------------------------- DEBUG ( default/core ): | pen | field type | offset | size | DEBUG ( default/core ): | 0 | input snmp | 0 | 4 | DEBUG ( default/core ): | 0 | 256 | 4 | 2 | DEBUG ( default/core ): | 0 | 243 | 6 | 2 | DEBUG ( default/core ): | 0 | in src mac | 8 | 6 | DEBUG ( default/core ): | 0 | in dst mac | 14 | 6 | DEBUG ( default/core ): | 0 | in packets | 20 | 4 | DEBUG ( default/core ): | 0 | first switched | 24 | 4 | DEBUG ( default/core ): | 0 | last switched | 28 | 4 | DEBUG ( default/core ): | 0 | output snmp | 32 | 4 | DEBUG ( default/core ): | 0 | in bytes | 36 | 8 | DEBUG ( default/core ): -----------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 44 DEBUG ( default/core ): INFO ( default/print ): *** Purging cache - START (PID: 19349) ***SRC_MAC DST_MAC VLAN ETYPE PACKETS BYTES
00:1b:ed:ae:8d:00 d4:85:64:50:5c:60 0 806 1 94INFO ( default/print ): *** Purging cache - END (PID: 19349, QN: 54/54, ET: 0) ***
Best regards Matej Vadnjal Arnes
netflow.l2.vlan2.pcap
Description: application/vnd.tcpdump.pcap
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
