Re: [pmacct-discussion] nfprobe vs. print plugin with ESP flows

Mon, 15 Mar 2021 08:53:30 -0700 

Thanks for taking a look.  I have sent the attachments directly to you.

--Sean

On Sun, Mar 14, 2021 at 11:16 AM Paolo Lucente <pa...@pmacct.net> wrote:
>
>
> Hi Sean,
>
> It smells like a bug. May i ask you to send me a brief capture of some
> of these ESP packets by unicast email? It would allow me to reproduce
> the issue. You can do that with tcpdump, in case you are not familiar
> with it something a-la "tcpdump -i <interface> -s 0 -n -w <output file>
> esp" should do it; then press CTRL+C to exit and make sure the file has
> a positive size.
>
> Paolo
>
> On 12/03/2021 19:04, Sean wrote:
> > Hi all,
> >
> > I just joined the list, and just started tinkering at pmacct. The gist
> > of what I'm trying to do is generate netflow data on two linux servers
> > acting as routers with Free Range Routing (FRR) software.  The routers
> > are mostly passing IPSEC tunnels, I want to use the netflow data to
> > track bandwidth utilization for each tunnel.
> >
> > I notice when I use the print plugin on the router(s) that I can see
> > flows for ESP -
> > SRC_IP                   DST_IP                SRC_PORT  DST_PORT
> > PROTOCOL  TOS  PACKETS        BYTES
> > 192.168.192.100     192.168.0.100      0                    0
> >           esp                 0        44                   25696
> > 192.168.0.100         192.168.192.100  0                    0
> >           esp                 0        22                   12848
> >
> > For the running pmacct configuration, I use the nfprobe plugin and
> > send to a remote netflow receiver.  The trouble is that on the
> > receiver, I am only seeing flows for protoid 17, which is just UDP.
> > Would anyone here have an idea what I need to do to get nfprobe to
> > send the ESP flows to my receiver?
> >
> > My config -
> > daemonize: true
> > debug: true
> > syslog: daemon
> > aggregate: src_host, dst_host, src_port, dst_port, proto, tos
> > plugins: nfprobe
> > nfprobe_receiver: 192.168.192.10:9995
> > nfprobe_version: 10
> > nfprobe_source_ip: 192.168.192.2
> >
> >
> > --Sean
> >
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
> >
>

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to