Hi Markus, Not sure what you mean with that the server does NOT accept/process the packets due to it target to another MAC address.
I thought the pmacctd used the libpcap the same way that tcpdump does and analyses packets. But with tcpdump I have to use -vvv the all of the packet. This is what I get when i'm writing to plain text-file. SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,TOS,PACKETS,FLOWS,BYTES 192.168.1.1,172.16.0.100,52043,2055,udp,0,10,1,2416 192.168.1.1 = router 172.16.0.100 = Netflow-server (not same server where I'm running pmacct on) My server with pmacct has an interface (eth2) without any ip configurations connected to the same switch as the netflow-server. The server recieves all udp/2055 packets from the switch (SPAN) Iptables are disabled on the server. /Mattias On Fri, Aug 19, 2016 at 1:00 PM Markus Weber <f...@uucp.de> wrote: > Hi Matthias, > > could it be that your hosts does NOT accept/process the packets as those > are targeted to another MAC address? If you run wireshark/tcpdump the > interface to put into promiscuous mode to get them ... > > If all have the same dst mac just change your interface facing the SPAN > port to it. > > > Other than that: any host "firewall" rules active? > > > Markus > > > On 19.08.2016 11:21, Jentsch, Mario wrote: > > Hi Mattias, > > > > do you have a drawing of your setup? I have to admit that it is unclear to > me… > > > > Thanks, > > Mario > > > > *From:* pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net > <pmacct-discussion-boun...@pmacct.net>] *On Behalf Of *Mattias Larsson > *Sent:* Thursday, August 18, 2016 1:36 PM > *To:* pmacct-discussion@pmacct.net > *Subject:* [pmacct-discussion] Only packets from router to netflow server > > > > > > I use a SPAN port on my switch to capture all netflow (udp 2055) packets > and send it to a interface where my pmacct server has one extra interface > connected to. > > > > But when I look on the traffic/packets that pmacctd genereates it seems > only be the IP packets between my router and netflow server. It seems it > not decodes the cisco netflow payload/data. > > > > When I do a tcpdump on the interface and look at it with wireshark I can > see see the flows. > > > > Any suggestion what I'm doing wrong? > > > > Thanks in advance! > > > Mattias > > > _______________________________________________ > pmacct-discussion mailing listhttp://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
