Re: [pmacct-discussion] nDPI integration

2017-07-23 Thread Abi Askushi 
Great! I will test this and get back at some point.

On Jul 23, 2017 22:29, "Paolo Lucente"  wrote:

>
> Dearests,
>
> A first round of coding to integrate packet classification via nDPI in
> pmacct is now available on the GitHub code for all those souls that
> would like to contribute helping out testing this. I recall a few of you
> that have been waiting this: please reach out to me if i don't reach out
> to you.
>
> In the QUICKSTART document, the section about packet classification has
> been updated:
>
> https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L776
>
> Also in the chapter with misc tips for debugging and troubleshooting
> there is a new section about how to report issues around this specific
> feature (you can reach out to me directly or open issues on GitHub or
> contribute fixes back yourself doing a PR):
>
> https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L2024
>
> Cheers,
> Paolo
>
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] packet classification - nDPI

2017-05-13 Thread Abi Askushi 
Hi Paolo,

This is great. I would be interested to test this.
Thanx


On May 12, 2017 03:06, "Paolo Lucente"  wrote:

>
> Hi Stephen,
>
> I'm happy to say that there is an ongoing work on this even though the
> code has not been merged yet into mainstream. If you are interested, i
> may notify you as soon as there is something to test.
>
> Paolo
>
> On Tue, May 09, 2017 at 02:18:58PM -0400, Stephen Clark wrote:
> > Hi,
> >
> > has anyone hooked nDPI into pmacctd for packet classification?
> >
> > Thanks,
> > Steve
> >
> > --
> >
> > "They that give up essential liberty to obtain temporary safety,
> > deserve neither liberty nor safety."  (Ben Franklin)
> >
> > "The course of history shows that as a government grows, liberty
> > decreases."  (Thomas Jefferson)
> >
> >
> >
>
>
>
>
> > ___
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pmacct max active plugins

2017-02-07 Thread Abi Askushi 
Hi Paolo,

Thank you for the swift response.
I will recompile with the new limit and will check.

I hit the limit as I have a new device testing pmacct with more network
ports (8 NICs) and I need to do IP, port and protocol accounting for all
internal networks for traffic going to/from each WAN, including the
direction of traffic. Usually I will have 3 internal networks and 2 or 3
different WAN interfaces. Thus I have added several mysql plugins and
aggregation filters to split and analyse traffic for all these networks to
be able to have some aggregated reports for the interesting ports (I wanted
to avoid having reports for the random source ports and had to find a way
to show only the interesting ports).

Thanx,
Alex



On Mon, Feb 6, 2017 at 12:53 PM, Paolo Lucente <pa...@pmacct.net> wrote:

>
> Hi Alex,
>
> Yes, that is OK. See also the thread here:
>
> https://github.com/pmacct/pmacct/issues/63
>
> It would be great to know also your use-case for instantiating more than
> 32 plugins. Keep me posted if it works.
>
> Paolo
>
> On Mon, Feb 06, 2017 at 11:53:18AM +0200, Abi Askushi wrote:
> > HI All,
> >
> > I was trying to start monitoring on several network ports and I received
> > the following:
> >
> > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
> > child PID 29390
> > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
> > child PID 29391
> > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
> > child PID 29392
> > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
> > child PID 29393
> > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
> > child PID 29394
> > Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
> > child PID 29395
> >
> > It seems that I hit a hard limit.
> >
> > checking the code I see the following variable defined at:
> > /usr/src/pmacct/src/pmacct-defines.h
> > MAX_N_PLUGINS 32
> >
> > Is it ok to increase it?
> >
> > Thanx,
> > Alex
>
> > ___
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct max active plugins

2017-02-06 Thread Abi Askushi 
HI All,

I was trying to start monitoring on several network ports and I received
the following:

Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
child PID 29390
Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
child PID 29391
Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
child PID 29392
Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
child PID 29393
Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
child PID 29394
Jan 27 16:05:30 WARN ( default/core ): Abnormal exit status detected for
child PID 29395

It seems that I hit a hard limit.

checking the code I see the following variable defined at:
/usr/src/pmacct/src/pmacct-defines.h
MAX_N_PLUGINS 32

Is it ok to increase it?

Thanx,
Alex
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Pmacct - conntrack - netflow v9

2016-09-14 Thread Abi Askushi 
Hi Paolo,

My comments inline.

Thanx,
Alex

On Tue, Sep 13, 2016 at 1:04 PM, Paolo Lucente <pa...@pmacct.net> wrote:

>
> Hi Alex,
>
> Inline:
>
> On Sun, Sep 11, 2016 at 11:45:44PM +0300, Abi Askushi wrote:
>
> > 1. Is there a pmacct plugin to get traffic flows from connection tracking
> > system, like ulogd2 with NFCT plugin?
>
> Not being familiar with this, can you elaborate what it does? An example
> would be much appreciated.
>

This is done using ulogd2 running with NFCT plugin. Then ulogd probes
events from connection tracking system (events can be filtered: destroy,
new, etc) and can print or store the flows in DB. The flows that can be
fetched are like the output of command "conntrack -L". The pro of this
approach is that you get the real source and destination when have to deal
with NATed traffic.
A very nice example is at
https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/.
The negative side of this approach is how to handle long lasting sessions
that are not fetched (at least I didn't figure out how to do that) in case
the device is rebooted, resulting in lost accounting traffic.


> > 2. NFLOG + uacctd: is there any way to aggregate/filter collected packets
> > with uacctd as received from NFLOG, according to the fwmark value set
> with
> > MARK at iptables ? If no, is there any recommended alternate approach?
>
> No, as i suspect this MARK action does not really mark/stamp the packet
> itself but mangles with an external header. But knowing more precisely
> what this MARK does, we can certainly make it an item we can tag upon,
> or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need (your)
> support.
>
As you said, the MARK is an association that is done from netfilter and it
does not affect packet header.
This means that I'm left with the option to alter packet header to be able
to tag it.
Can you recommend which packet header to alter to be able to tag?



>
> > 3. pmacctd Netflow v9 exports: when collecting flows with nfacctd
> generated
> > with pmacctd+nfprobe plugin, the interface index (in_iface, out_iface)
> was
> > showing always 0. Am I missing sth?
>
> Did you read the QUICKSTART document section "Quickstart guide to setup a
> NetFlow agent/probe"? Towards the end it starts speaking about interfaces,
> direction and tags. It essentially says: libpcap is detached from the OS
> and hence has no concept of interfaces and such; you need to issue a tag,
> ie. basing on source/destination MAC address, in order to populate the
> interface and/or direction fields of a generated NetFlow/IPFIX packet. Let
> me know if the case is you are already doing this and it's not working; if
> not (your config suggests you are not) here is a pointer to the doc:
>
> https://github.com/pmacct/pmacct/blob/master/QUICKSTART
>
> Seems I've missed that. Thank you for pointing out.


> ULOG/NFLOG is instead integrated in the Linux OS and hence would return you
> interfaces no problem.
>
Agree.


>
> Cheers,
> Paolo
>
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists