Hi Matej, Thanks a lot for your support.
Looking at the trace, your switch is sending VLAN ID using NetFlow v9/ IPFIX element #243. This was not supported natively. Now it is and code for it is in the CVS for you to check out. Log from the CVS for this: http://www.mail-archive.com/pmacct-commits@pmacct.net/msg01282.html I've tested it working, just let me know if it appears to work for you too or you run into any further issue. Cheers, Paolo On Wed, Dec 10, 2014 at 07:51:35PM +0100, Matej Vadnjal wrote: > Hello > > First of a big thanks to Paolo for a great tool. > > I do have a question though. > > I can't get pmacct to show VLAN IDs of layer 2 flexible netflow > records. I'm exporting from a Cisco 4500X switch. > > VLAN field in nfacctd is always 0, though it is set correctly in > exported flow packets. I'm not sure if I need to configure something > or if support for this field needs to be coded in pmacct? > > I have attached a sample PCAP that contains the Netflow template and > a flow record. > > > This is my IOS config for flow record: > > flow record MemberP2P > match datalink mac source address input > match datalink mac destination address input > match datalink ethertype > match datalink dot1q vlan input > match interface input > collect interface output > collect counter bytes long > collect counter packets > collect timestamp sys-uptime first > collect timestamp sys-uptime last > > > Here is a debug output from nfacctd collector: > > # pmacct-1.5.0/src/nfacctd -d -L a.b.c.d -l 1555 -P print -r 10 -c > src_mac,dst_mac,etype,vlan > DEBUG ( cmdline ): plugin name/type: 'default'/'core'. > DEBUG ( cmdline ): plugin name/type: 'default'/'print'. > DEBUG ( cmdline ): debug:true > DEBUG ( cmdline ): nfacctd_ip:a.b.c.d > DEBUG ( cmdline ): nfacctd_port:1555 > DEBUG ( cmdline ): sql_refresh_time:10 > DEBUG ( cmdline ): aggregate:src_mac,dst_mac,etype,vlan > INFO ( default/core ): Reading configuration from cmdline. > INFO ( default/print ): plugin_pipe_size=4096000 bytes > plugin_buffer_size=200 bytes > INFO ( default/print ): ctrl channel: obtained=212992 bytes > target=163840 bytes > INFO ( default/core ): waiting for NetFlow data on a.b.c.d:1555 > DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: > unknown template 256 [e.f.g.h:0]) > DEBUG ( default/core ): NfV9 agent : e.f.g.h:0 > DEBUG ( default/core ): NfV9 template type : flow > DEBUG ( default/core ): NfV9 template ID : 256 > DEBUG ( default/core ): > ----------------------------------------------------- > DEBUG ( default/core ): | pen | field type | offset | > size | > DEBUG ( default/core ): | 0 | input snmp | 0 | > 4 | > DEBUG ( default/core ): | 0 | 256 | 4 | > 2 | > DEBUG ( default/core ): | 0 | 243 | 6 | > 2 | > DEBUG ( default/core ): | 0 | in src mac | 8 | > 6 | > DEBUG ( default/core ): | 0 | in dst mac | 14 | > 6 | > DEBUG ( default/core ): | 0 | in packets | 20 | > 4 | > DEBUG ( default/core ): | 0 | first switched | 24 | > 4 | > DEBUG ( default/core ): | 0 | last switched | 28 | > 4 | > DEBUG ( default/core ): | 0 | output snmp | 32 | > 4 | > DEBUG ( default/core ): | 0 | in bytes | 36 | > 8 | > DEBUG ( default/core ): > ----------------------------------------------------- > DEBUG ( default/core ): Netflow V9/IPFIX record size : 44 > DEBUG ( default/core ): > INFO ( default/print ): *** Purging cache - START (PID: 19349) *** > SRC_MAC DST_MAC VLAN ETYPE PACKETS > BYTES > 00:1b:ed:ae:8d:00 d4:85:64:50:5c:60 0 806 1 94 > INFO ( default/print ): *** Purging cache - END (PID: 19349, QN: > 54/54, ET: 0) *** > > > Best regards > Matej Vadnjal > Arnes > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
