Hi Sean,
It smells like a bug. May i ask you to send me a brief capture of some
of these ESP packets by unicast email? It would allow me to reproduce
the issue. You can do that with tcpdump, in case you are not familiar
with it something a-la "tcpdump -i <interface> -s 0 -n -w <output file>
esp" should do it; then press CTRL+C to exit and make sure the file has
a positive size.
Paolo
On 12/03/2021 19:04, Sean wrote:
Hi all,
I just joined the list, and just started tinkering at pmacct. The gist
of what I'm trying to do is generate netflow data on two linux servers
acting as routers with Free Range Routing (FRR) software. The routers
are mostly passing IPSEC tunnels, I want to use the netflow data to
track bandwidth utilization for each tunnel.
I notice when I use the print plugin on the router(s) that I can see
flows for ESP -
SRC_IP DST_IP SRC_PORT DST_PORT
PROTOCOL TOS PACKETS BYTES
192.168.192.100 192.168.0.100 0 0
esp 0 44 25696
192.168.0.100 192.168.192.100 0 0
esp 0 22 12848
For the running pmacct configuration, I use the nfprobe plugin and
send to a remote netflow receiver. The trouble is that on the
receiver, I am only seeing flows for protoid 17, which is just UDP.
Would anyone here have an idea what I need to do to get nfprobe to
send the ESP flows to my receiver?
My config -
daemonize: true
debug: true
syslog: daemon
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe
nfprobe_receiver: 192.168.192.10:9995
nfprobe_version: 10
nfprobe_source_ip: 192.168.192.2
--Sean
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
