Re: [pmacct-discussion] Classification error in pre-tag-mapping with filter
On Mon, 13 Jan 2014, Paolo Lucente wrote:
libpcap is leveraged for filtering purposes ('filter'
keyword in pre_tag_map and 'aggregate_filter') and this is a known
limitation (perhaps the most annoying) of libpcap-based filters.
That makes sense. Thank you for your assistance.
--
Kind regards,
Martin Topholm
pgpnoSsoSl7hP.pgp
Description: PGP signature
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Classification error in pre-tag-mapping with filter
On Fri, 10 Jan 2014, Paolo Lucente wrote: To clarify: no traffic at all, both originated from and delivered to your address blocks listed, gets tagged with 612/613/712/713. Correct? Or some is and some is not? Most is classified correctly, but about 7% doesn't match our filter. tag packets bytes --- --- -- 612 719349 479823644 613 819891 343327581 712 1782905 1944587590 713 1181386 1350451186 901 760620 297936088 902 15450955994369 When aggregated on tag, src_host and dst_host shows they should fit the filters filter. 901 94.18.227.134 198.51.100.92 29 1963 Any chance the traffic is VLAN-tagged and/or MPLS-labelled and VLAN tag and/or MPLS labels are exposed to pmacct via IPFIX? In such a case you should reflect this in the filter, ie. 'vlan and ...', 'mpls and ...' or 'vlan and mpls and ...'. This appears to be the case. If all rules are duplicated with vlan or (...) everyting seems to work, only expected non-classified traffic remains with tag 901 and 902. How come the vlan expression is needed? -- Kind regards, Martin Topholm pgp9j4TNHcz5I.pgp Description: PGP signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Classification error in pre-tag-mapping with filter
Hi Martin,
On Mon, Jan 13, 2014 at 02:45:25PM +0100, Martin Topholm wrote:
On Fri, 10 Jan 2014, Paolo Lucente wrote:
[ .. ]
Any chance the traffic is VLAN-tagged and/or MPLS-labelled and
VLAN tag and/or MPLS labels are exposed to pmacct via IPFIX? In
such a case you should reflect this in the filter, ie. 'vlan
and ...', 'mpls and ...' or 'vlan and mpls and ...'.
This appears to be the case. If all rules are duplicated with
vlan or (...) everyting seems to work, only expected non-classified
traffic remains with tag 901 and 902.
How come the vlan expression is needed?
Great to know. libpcap is leveraged for filtering purposes ('filter'
keyword in pre_tag_map and 'aggregate_filter') and this is a known
limitation (perhaps the most annoying) of libpcap-based filters. It's
some time i'm thinking would be good to find viable (ie. also more
efficient) alternatives to that.
Cheers,
Paolo
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
