Hi Paolo, thank you very much for your reply. You were right that it only works with the 'vlan' keyword. It is now working exactly as expected in both directions. I actually read this thread before https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01762.html with the same problem but couldnt get it to work until now - probably due an issue on my side.
I will now keep playing around to tailor a setup for my production environment. Regards, Martin -----Ursprüngliche Nachricht----- Von: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] Im Auftrag von Paolo Lucente Gesendet: Freitag, 2. Dezember 2016 23:02 An: pmacct-discussion@pmacct.net Betreff: Re: [pmacct-discussion] aggregate_filters not working for me Hi Martin, The traffic appears to be VLAN tagged. The aggregate_filter with 'vlan and src net 172.31.11.0/24' actually works for me and returns traffic. The other does not. I tested against your pcap trace with your config. If the problem at your end persists it could be due, dunno, to the version of the libpcap installed? Last resort, if SSH access to your, system is possible, let's follow up privately - i'd be happy to help you out. Cheers, Paolo On Thu, Dec 01, 2016 at 12:52:39PM +0000, Miethe, Martin wrote: > Helly everybody, > > we want to set up IP based accountig for a students network. All hosts (> > 5.000) have static IP adresses, so PMACCT seems to be the right software to > use! > To get started and understand sflow and pmacct I'm using a small lab > environment with one laptop connected to a HP switch. sflow is enabled at the > switch access port (laptop). > Now I'd like to have 2 mysql tables (in/out) aggregating the consumed > bandwith per IP on a hourly base. > > Here the pmacct config I am using so far: > =========== > daemonize: true > interface: ens160 > sfacctd_port: 6343 > sfacctd_ip: 172.31.10.84 > > aggregate[in]: dst_host > aggregate[out]: src_host > !aggregate_filter[in]: dst net 172.31.11.0/24 > !aggregate_filter[out]: vlan and src net 172.31.11.0/24 > > plugins: mysql[in], mysql[out] > sql_history: 1h > sql_history_roundoff: h > sql_host: localhost > sql_db: pmacct > sql_table_version: 6 > sql_passwd: **** > sql_user: **** > sql_refresh_time: 60 > sql_table [in]: acct_v6_in > sql_table [out]: acct_v6_out > > sfacctd_renormalize: true > logfile: /home/administrator/sfacctd.log =========== > > I made 2 screenshots of the 2 mysql tables (in/out) with samples from the > above config and to be able to go more in depth I attached a packet capture > as well. > https://wetransfer.com/downloads/454b0e7e32f2727d12c538269999a65220161 > 201124352/2aa52ff9135a80cbb42a5d9684e359b720161201124352/17e3a7 > > Now I actually want pmacct to only aggregate packets from and to my > laptop (172.31.11.46). I thought aggregate_filter would be the right way to > go, but when I remove the comments, pmacct will not write any samples to the > database. It seems like everything gets filtered when going with the filters. > Am I missing something? > > Thanks a lot in advance! > Martin > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
