Re: [pmacct-discussion] Classification error in pre-tag-mapping with filter
On Mon, 13 Jan 2014, Paolo Lucente wrote:
libpcap is leveraged for filtering purposes ('filter'
keyword in pre_tag_map and 'aggregate_filter') and this is a known
limitation (perhaps the most annoying) of libpcap-based filters.
That makes sense. Thank you for your assistance.
--
Kind regards,
Martin Topholm
pgpnoSsoSl7hP.pgp
Description: PGP signature
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Classification error in pre-tag-mapping with filter
On Fri, 10 Jan 2014, Paolo Lucente wrote: To clarify: no traffic at all, both originated from and delivered to your address blocks listed, gets tagged with 612/613/712/713. Correct? Or some is and some is not? Most is classified correctly, but about 7% doesn't match our filter. tag packets bytes --- --- -- 612 719349 479823644 613 819891 343327581 712 1782905 1944587590 713 1181386 1350451186 901 760620 297936088 902 15450955994369 When aggregated on tag, src_host and dst_host shows they should fit the filters filter. 901 94.18.227.134 198.51.100.92 29 1963 Any chance the traffic is VLAN-tagged and/or MPLS-labelled and VLAN tag and/or MPLS labels are exposed to pmacct via IPFIX? In such a case you should reflect this in the filter, ie. 'vlan and ...', 'mpls and ...' or 'vlan and mpls and ...'. This appears to be the case. If all rules are duplicated with vlan or (...) everyting seems to work, only expected non-classified traffic remains with tag 901 and 902. How come the vlan expression is needed? -- Kind regards, Martin Topholm pgp9j4TNHcz5I.pgp Description: PGP signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Classification error in pre-tag-mapping with filter
Hi Martin,
On Mon, Jan 13, 2014 at 02:45:25PM +0100, Martin Topholm wrote:
On Fri, 10 Jan 2014, Paolo Lucente wrote:
[ .. ]
Any chance the traffic is VLAN-tagged and/or MPLS-labelled and
VLAN tag and/or MPLS labels are exposed to pmacct via IPFIX? In
such a case you should reflect this in the filter, ie. 'vlan
and ...', 'mpls and ...' or 'vlan and mpls and ...'.
This appears to be the case. If all rules are duplicated with
vlan or (...) everyting seems to work, only expected non-classified
traffic remains with tag 901 and 902.
How come the vlan expression is needed?
Great to know. libpcap is leveraged for filtering purposes ('filter'
keyword in pre_tag_map and 'aggregate_filter') and this is a known
limitation (perhaps the most annoying) of libpcap-based filters. It's
some time i'm thinking would be good to find viable (ie. also more
efficient) alternatives to that.
Cheers,
Paolo
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
[pmacct-discussion] Classification error in pre-tag-mapping with filter
We're trying to use nfacctd version 1.5.0rc2 to classify groups of traffic based on ip ranges within our network. We have Juniper routers configured with inline jflow. During a consistentcy test we discovered some traffic was missing. In the example below we list all our networks in a filter. We tag 612 or 613 for inbound traffic, and tag 712 or 713 for outbound traffic. We see that traffic within our address block gets tagged with 901 or 902. This traffic either originates from or is destined to the listed blocks. Are there any reason why the filter shouldn't match this traffic? We also use nfacctd for replication in transparent mode in front of this instance. Our nfacctd.conf: nfacctd_port: 2102 nfacctd_ip: 0.0.0.0 nfacctd_time_new: true plugin_buffer_size: 10240 plugin_pipe_size: 1024000 pre_tag_map: pretag.conf plugins: print[dummy] pre_tag_filter[dummy]: 900-1000 print_refresh_time[dummy]: 10 aggregate[dummy]: tag,in_iface,out_iface,src_host,dst_host,src_as,dst_as Our pretag.conf: set_tag=612 ip=192.0.2.12 filter='dst net 198.51.100.0/24 or dst net 203.0.113.0/24 or dst net 192.0.2.0/24' set_tag=712 ip=192.0.2.12 filter='src net 198.51.100.0/24 or src net 203.0.113.0/24 or src net 192.0.2.0/24' set_tag=613 ip=192.0.2.13 filter='dst net 198.51.100.0/24 or dst net 203.0.113.0/24 or dst net 192.0.2.0/24' set_tag=713 ip=192.0.2.13 filter='src net 198.51.100.0/24 or src net 203.0.113.0/24 or src net 192.0.2.0/24' set_tag=901 ip=192.0.2.12 set_tag=902 ip=192.0.2.13 set_tag=999 ip=0.0.0.0/0 -- Kind regards, Martin Topholm pgpPBZdmdTNqi.pgp Description: PGP signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
