Re: [pmacct-discussion] nDPI integration
Great! I will test this and get back at some point. On Jul 23, 2017 22:29, "Paolo Lucente"wrote: > > Dearests, > > A first round of coding to integrate packet classification via nDPI in > pmacct is now available on the GitHub code for all those souls that > would like to contribute helping out testing this. I recall a few of you > that have been waiting this: please reach out to me if i don't reach out > to you. > > In the QUICKSTART document, the section about packet classification has > been updated: > > https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L776 > > Also in the chapter with misc tips for debugging and troubleshooting > there is a new section about how to report issues around this specific > feature (you can reach out to me directly or open issues on GitHub or > contribute fixes back yourself doing a PR): > > https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L2024 > > Cheers, > Paolo > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] packet classification - nDPI
Hi Paolo, This is great. I would be interested to test this. Thanx On May 12, 2017 03:06, "Paolo Lucente"wrote: > > Hi Stephen, > > I'm happy to say that there is an ongoing work on this even though the > code has not been merged yet into mainstream. If you are interested, i > may notify you as soon as there is something to test. > > Paolo > > On Tue, May 09, 2017 at 02:18:58PM -0400, Stephen Clark wrote: > > Hi, > > > > has anyone hooked nDPI into pmacctd for packet classification? > > > > Thanks, > > Steve > > > > -- > > > > "They that give up essential liberty to obtain temporary safety, > > deserve neither liberty nor safety." (Ben Franklin) > > > > "The course of history shows that as a government grows, liberty > > decreases." (Thomas Jefferson) > > > > > > > > > > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] pmacct max active plugins
Hi Paolo, Thank you for the swift response. I will recompile with the new limit and will check. I hit the limit as I have a new device testing pmacct with more network ports (8 NICs) and I need to do IP, port and protocol accounting for all internal networks for traffic going to/from each WAN, including the direction of traffic. Usually I will have 3 internal networks and 2 or 3 different WAN interfaces. Thus I have added several mysql plugins and aggregation filters to split and analyse traffic for all these networks to be able to have some aggregated reports for the interesting ports (I wanted to avoid having reports for the random source ports and had to find a way to show only the interesting ports). Thanx, Alex On Mon, Feb 6, 2017 at 12:53 PM, Paolo Lucente <pa...@pmacct.net> wrote: > > Hi Alex, > > Yes, that is OK. See also the thread here: > > https://github.com/pmacct/pmacct/issues/63 > > It would be great to know also your use-case for instantiating more than > 32 plugins. Keep me posted if it works. > > Paolo > > On Mon, Feb 06, 2017 at 11:53:18AM +0200, Abi Askushi wrote: > > HI All, > > > > I was trying to start monitoring on several network ports and I received > > the following: > > > > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for > > child PID 29390 > > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for > > child PID 29391 > > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for > > child PID 29392 > > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for > > child PID 29393 > > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for > > child PID 29394 > > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for > > child PID 29395 > > > > It seems that I hit a hard limit. > > > > checking the code I see the following variable defined at: > > /usr/src/pmacct/src/pmacct-defines.h > > MAX_N_PLUGINS 32 > > > > Is it ok to increase it? > > > > Thanx, > > Alex > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] pmacct max active plugins
HI All, I was trying to start monitoring on several network ports and I received the following: Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for child PID 29390 Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for child PID 29391 Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for child PID 29392 Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for child PID 29393 Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for child PID 29394 Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for child PID 29395 It seems that I hit a hard limit. checking the code I see the following variable defined at: /usr/src/pmacct/src/pmacct-defines.h MAX_N_PLUGINS 32 Is it ok to increase it? Thanx, Alex ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Pmacct - conntrack - netflow v9
Hi Paolo, My comments inline. Thanx, Alex On Tue, Sep 13, 2016 at 1:04 PM, Paolo Lucente <pa...@pmacct.net> wrote: > > Hi Alex, > > Inline: > > On Sun, Sep 11, 2016 at 11:45:44PM +0300, Abi Askushi wrote: > > > 1. Is there a pmacct plugin to get traffic flows from connection tracking > > system, like ulogd2 with NFCT plugin? > > Not being familiar with this, can you elaborate what it does? An example > would be much appreciated. > This is done using ulogd2 running with NFCT plugin. Then ulogd probes events from connection tracking system (events can be filtered: destroy, new, etc) and can print or store the flows in DB. The flows that can be fetched are like the output of command "conntrack -L". The pro of this approach is that you get the real source and destination when have to deal with NATed traffic. A very nice example is at https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/. The negative side of this approach is how to handle long lasting sessions that are not fetched (at least I didn't figure out how to do that) in case the device is rebooted, resulting in lost accounting traffic. > > 2. NFLOG + uacctd: is there any way to aggregate/filter collected packets > > with uacctd as received from NFLOG, according to the fwmark value set > with > > MARK at iptables ? If no, is there any recommended alternate approach? > > No, as i suspect this MARK action does not really mark/stamp the packet > itself but mangles with an external header. But knowing more precisely > what this MARK does, we can certainly make it an item we can tag upon, > or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need (your) > support. > As you said, the MARK is an association that is done from netfilter and it does not affect packet header. This means that I'm left with the option to alter packet header to be able to tag it. Can you recommend which packet header to alter to be able to tag? > > > 3. pmacctd Netflow v9 exports: when collecting flows with nfacctd > generated > > with pmacctd+nfprobe plugin, the interface index (in_iface, out_iface) > was > > showing always 0. Am I missing sth? > > Did you read the QUICKSTART document section "Quickstart guide to setup a > NetFlow agent/probe"? Towards the end it starts speaking about interfaces, > direction and tags. It essentially says: libpcap is detached from the OS > and hence has no concept of interfaces and such; you need to issue a tag, > ie. basing on source/destination MAC address, in order to populate the > interface and/or direction fields of a generated NetFlow/IPFIX packet. Let > me know if the case is you are already doing this and it's not working; if > not (your config suggests you are not) here is a pointer to the doc: > > https://github.com/pmacct/pmacct/blob/master/QUICKSTART > > Seems I've missed that. Thank you for pointing out. > ULOG/NFLOG is instead integrated in the Linux OS and hence would return you > interfaces no problem. > Agree. > > Cheers, > Paolo > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists