Re: [pmacct-discussion] pmacct with nfprobe_direction / nfprobe_ifindex and pretag.map
Hi Paolo,
thank you so much for your offer!
Following up to this via private email.
Thanks
Klaus
On 15.01.24 15:15, Paolo Lucente wrote:
>
> Hi Klaus,
>
> Having a description of your environment, i take back the suggestion to
> look for uacctd. Since traffic is mirrored to an interface, all you are
> probably get from uacctd is the input interface populated with such
> interface -- not what you want, i guess. The collector box is not
> routing / switching packets around so pmacctd is still the prime choice.
>
> This said: 1.7.6 is a pretty old release, if you could upgrade to 1.7.8
> or give a try to master code on GitHub, we can see whether the first
> issue (all is mapped to VLAN 10) goes away; alternatively you could send
> me a brief pcap with a mix of the traffic and i can try to run pmacctd
> against it with the excerpt of the pre_tag_map that you originally
> posted. As a further alternative you could also experiment at your end,
> if you wish, you could expose "tag, tag2" on the "aggregate", ie.
> "tag,tag2,src_host,dst_host,src_port,dst_port,proto,sampling_rate,vlan"
> so to visualize what is going on with the map.
>
> Finally, let me say again that the case of populating both input and
> output interfaces given a VLAN is not supported; given the direction
> that you express, ie. ingress or egress, you will be currently able to
> populate only input or output interface.
>
> Paolo
>
>
> On 15/1/24 11:33, Klaus Conrad wrote:
>> Hello again,
>>
>> I think I managed to get the iptables part working by using nftables:
>>
>> $ cat /etc/nftables.conf
>>
>> #!/usr/sbin/nft -f
>>
>> flush ruleset
>>
>> table netdev test {
>>chain testchain {
>> type filter hook ingress device ens224 priority 0;
>> log group 5
>>}
>> }
>>
>>
>>
>> At least I see traffic using:
>>
>> $ sudo tcpdump -i nflog:5
>>
>>
>> However, when I start uacctd as follows:
>>
>> $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
>>
>> It does not write a log file.
>>
>> Also, it sometimes fails to start up with one of the following error
>> messages:
>>
>> - ERROR ( default/core ): Failed to set threshold to 1
>> - ERROR ( default/core ): Failed to set receive buffer size to 131072
>>
>> When it manages to start up, it produces output like the following:
>>
>>> $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
>>> DEBUG: [cmdline] plugin name/type: 'default'/'core'.
>>> DEBUG: [cmdline] plugin name/type: 'default_print'/'print'.
>>> DEBUG: [cmdline] print_output_file:/tmp/test.log
>>> DEBUG: [cmdline] print_markers:true
>>> DEBUG: [cmdline] print_output:json
>>> DEBUG: [cmdline] uacctd_group:5
>>> DEBUG: [cmdline] debug:true
>>> DEBUG: [cmdline] snaplen:1500
>>> INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd
>>> (RELEASE)
>>> INFO ( default/core ): '--build=x86_64-linux-gnu' '--prefix=/usr'
>>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
>>> '--disable-option-checking' '--disable-silent-rules'
>>> '--libdir=${prefix}/lib/x86_64-linux-gnu'
>>> '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
>>> '--disable-dependency-tracking'
>>> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2'
>>> '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql'
>>> '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka'
>>> '--enable-geoipv2' '--enable-jansson' '--enable-64bit' '--enable-threads'
>>> '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
>>> '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu'
>>> 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time
>>> -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
>>> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
>>> -fstack-protector-strong -Wformat -Werror=format-security'
>>> INFO ( default/core ): Reading configuration from cmdline.
>>> WARN ( default_print/print ): defaulting to SRC HOST aggregation.
>>> INFO ( default_print/print ): plugin_pipe_size=4096000 bytes
>>> plugin_buffer_size=344 bytes
>>> INFO ( default_print/print ): ctrl channel: obtained=212992 bytes
>>> target=95248 bytes
>>> INFO ( default_print/print ): cache entries=16411 base cache
>>> memory=66431728 bytes
>>> INFO ( default/core ): Successfully connected Netlink NFLOG socket
>>> INFO ( default_print/print ): JSON: setting object handlers.
>>> ^CINFO ( default_print/print ): *** Purging cache - START (PID: 2811834) ***
>>> INFO ( default_print/print ): *** Purging cache - END (PID: 2811834, QN:
>>> 0/0, ET: X) ***
>>> WARN ( default_print/print ): Failed during write: Connection refused
>>> INFO ( default/core ): OK, Exiting ...
>>
>>
>> In strace, I can see that uacctd receives data. Using nfprobe plugin
>> also does not result in uacct sending Netflow data.
>>
>>
>> Thanks again.
>>
>>
Re: [pmacct-discussion] pmacct with nfprobe_direction / nfprobe_ifindex and pretag.map
Hello again,
I think I managed to get the iptables part working by using nftables:
$ cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table netdev test {
chain testchain {
type filter hook ingress device ens224 priority 0;
log group 5
}
}
At least I see traffic using:
$ sudo tcpdump -i nflog:5
However, when I start uacctd as follows:
$ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
It does not write a log file.
Also, it sometimes fails to start up with one of the following error
messages:
- ERROR ( default/core ): Failed to set threshold to 1
- ERROR ( default/core ): Failed to set receive buffer size to 131072
When it manages to start up, it produces output like the following:
> $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
> DEBUG: [cmdline] plugin name/type: 'default'/'core'.
> DEBUG: [cmdline] plugin name/type: 'default_print'/'print'.
> DEBUG: [cmdline] print_output_file:/tmp/test.log
> DEBUG: [cmdline] print_markers:true
> DEBUG: [cmdline] print_output:json
> DEBUG: [cmdline] uacctd_group:5
> DEBUG: [cmdline] debug:true
> DEBUG: [cmdline] snaplen:1500
> INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd
> (RELEASE)
> INFO ( default/core ): '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
> '--disable-option-checking' '--disable-silent-rules'
> '--libdir=${prefix}/lib/x86_64-linux-gnu'
> '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
> '--disable-dependency-tracking'
> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2' '--enable-ipv6'
> '--enable-plabel' '--enable-mysql' '--enable-pgsql' '--enable-sqlite3'
> '--enable-rabbitmq' '--enable-zmq' '--enable-kafka' '--enable-geoipv2'
> '--enable-jansson' '--enable-64bit' '--enable-threads'
> '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
> '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu'
> 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time
> -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
> -fstack-protector-strong -Wformat -Werror=format-security'
> INFO ( default/core ): Reading configuration from cmdline.
> WARN ( default_print/print ): defaulting to SRC HOST aggregation.
> INFO ( default_print/print ): plugin_pipe_size=4096000 bytes
> plugin_buffer_size=344 bytes
> INFO ( default_print/print ): ctrl channel: obtained=212992 bytes
> target=95248 bytes
> INFO ( default_print/print ): cache entries=16411 base cache memory=66431728
> bytes
> INFO ( default/core ): Successfully connected Netlink NFLOG socket
> INFO ( default_print/print ): JSON: setting object handlers.
> ^CINFO ( default_print/print ): *** Purging cache - START (PID: 2811834) ***
> INFO ( default_print/print ): *** Purging cache - END (PID: 2811834, QN: 0/0,
> ET: X) ***
> WARN ( default_print/print ): Failed during write: Connection refused
> INFO ( default/core ): OK, Exiting ...
In strace, I can see that uacctd receives data. Using nfprobe plugin
also does not result in uacct sending Netflow data.
Thanks again.
Klaus
On 15.01.24 09:49, Klaus Conrad wrote:
> Hi Paolo,
>
> thanks a lot for taking the time to respond!
>
> I'm using pmacctd 1.7.6:
>
> -
> $ pmacctd -V
> Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git [RELEASE]
>
> Arguments:
> '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--disable-option-checking'
> '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu'
> '--libexecdir=${prefix}/lib/x86_64-linux-gnu'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2'
> '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql'
> '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka'
> '--enable-geoipv2' '--enable-jansson' '--enable-64bit'
> '--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins'
> '--enable-bmp-bins' '--enable-st-bins' '--enable-nflog'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro'
> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
> -fstack-protector-strong -Wformat -Werror=format-security'
>
> Libs:
> cdada 0.3.2
> libpcap version 1.10.0 (with TPACKET_V3)
> MariaDB 10.5.8
> PostgreSQL 130013
> sqlite3 3.34.1
> rabbimq-c 0.10.0
> rdkafka 1.6.0
> jansson 2.13.1
> MaxmindDB 1.5.2
> ZeroMQ 4.3.4
> netfilter_log
>
> System:
> Linux 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
>
> Compiler:
> gcc 10.2.1
>
> For suggestions, critics, bugs, contact me: Paolo Lucente
Re: [pmacct-discussion] pmacct with nfprobe_direction / nfprobe_ifindex and pretag.map
Hi Paolo,
thanks a lot for taking the time to respond!
I'm using pmacctd 1.7.6:
-
$ pmacctd -V
Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git [RELEASE]
Arguments:
'--build=x86_64-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--disable-option-checking'
'--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu'
'--libexecdir=${prefix}/lib/x86_64-linux-gnu'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--with-pgsql-includes=/usr/include/postgresql' '--enable-l2'
'--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql'
'--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka'
'--enable-geoipv2' '--enable-jansson' '--enable-64bit'
'--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins'
'--enable-bmp-bins' '--enable-st-bins' '--enable-nflog'
'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro'
'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
-fstack-protector-strong -Wformat -Werror=format-security'
Libs:
cdada 0.3.2
libpcap version 1.10.0 (with TPACKET_V3)
MariaDB 10.5.8
PostgreSQL 130013
sqlite3 3.34.1
rabbimq-c 0.10.0
rdkafka 1.6.0
jansson 2.13.1
MaxmindDB 1.5.2
ZeroMQ 4.3.4
netfilter_log
System:
Linux 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
Compiler:
gcc 10.2.1
For suggestions, critics, bugs, contact me: Paolo Lucente
.
-
It's a Debian 11 system, and I'm using the pmacct version that comes
with Debian 11.
To further describe our setup: we're mirroring all traffic from our
routers to a Linux VM (the pmacctd system) and I'd like to capture it
there and transform it into Netflow v9.
Unfortunately I do not quite understand the basics behind how InputInt
and OutputInt are supposed to be populated; basically we have the
following requirement:
InputInt and OutputInt should be populated as if the Netflow was
directly being created directly on our routers, so basically it should
be based on the VLAN tag or populated automatically (if that is possible).
I tried setting up uacctd but I'm currently struggling with capturing
the traffic with iptables; I did the following:
- sudo apt install iptables
- sudo iptables -i ens224 -t raw -I PREROUTING -j NFLOG --nflog-group 5
However, this does not seem to match any packets:
- sudo iptables -L -v -n -t raw
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 NFLOG all -- ens224 * 0.0.0.0/00.0.0.0/0
>nflog-group 5
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
I'm sorry, I realize that this is probably outside the scope of the
uacctd / pmacctd discussion but maybe someone can point me into the
right direction?
Thanks again
Klaus
On 14.01.24 16:47, Paolo Lucente wrote:
>
> Hi Klaus,
>
> Can you confirm what version of pmacct are you using? A 'pmacctd -V'
> would do.
>
> I would like essentially to confirm that, for the first issue you are
> hitting, you are running either 1.7.8 or a recent code that includes
> this patch from Dec 15th:
> https://github.com/pmacct/pmacct/commit/547e24171b0da2775ad35aeb2997d586003cb674
>
> .
>
> For the second issue you mention, ie. setting both input and output
> interface given a direction, let me confirm that the current mechanism
> does not support that -- the use case has been so far using src/dst IP
> address/prefix or src/dst MAC address to determine direction, and given
> that, set input OR output interface but not both.
>
> You could use ULOG / uacctd, which should already return you both
> interfaces, just an idea if you are running Linux, it seems the system
> you are monitoring is passing traffic through. Otherwise to use the
> tagging mechanism, some dev would be required.
>
> Paolo
>
>
> On 11/1/24 11:11, Klaus Conrad wrote:
>> Hello everybody,
>>
>> I'm currently struggling with properly setting up pmacct for the follow
>> scenario:
>>
>> I need InputInt and OutputInt as well as Direction to be set in the
>> generated Netflow.
>>
>> By default, InputInt/OutputInt are set to 0.
>>
>> The traffic I'm capturing is VLAN tagged.
>>
>> Now I want to set InputInt and OutputInt and Direction depending on the
>> VLAN tag of the captured traffic.
>>
>> My pretag.map looks like this:
>>
>> set_tag=2 vlan=10 jeq=eval_ifindexes
>> set_tag=1 vlan=11 jeq=eval_ifindexes
>> set_tag=2 vlan=20 jeq=eval_ifindexes
>> set_tag=1 vlan=21 jeq=eval_ifindexes
>> ...
>> set_tag=999 filter='net 0.0.0.0/0'
>>
>>
>> set_tag2=62 vlan=10 label=eval_ifindexes
>> set_tag2=62 vlan=11
>> set_tag2=60 vlan=20
>> set_tag2=60 vlan=21
>> ...
>> set_tag2=52
Re: [pmacct-discussion] pmacct with nfprobe_direction / nfprobe_ifindex and pretag.map
Hi Klaus, Can you confirm what version of pmacct are you using? A 'pmacctd -V' would do. I would like essentially to confirm that, for the first issue you are hitting, you are running either 1.7.8 or a recent code that includes this patch from Dec 15th: https://github.com/pmacct/pmacct/commit/547e24171b0da2775ad35aeb2997d586003cb674 . For the second issue you mention, ie. setting both input and output interface given a direction, let me confirm that the current mechanism does not support that -- the use case has been so far using src/dst IP address/prefix or src/dst MAC address to determine direction, and given that, set input OR output interface but not both. You could use ULOG / uacctd, which should already return you both interfaces, just an idea if you are running Linux, it seems the system you are monitoring is passing traffic through. Otherwise to use the tagging mechanism, some dev would be required. Paolo On 11/1/24 11:11, Klaus Conrad wrote: Hello everybody, I'm currently struggling with properly setting up pmacct for the follow scenario: I need InputInt and OutputInt as well as Direction to be set in the generated Netflow. By default, InputInt/OutputInt are set to 0. The traffic I'm capturing is VLAN tagged. Now I want to set InputInt and OutputInt and Direction depending on the VLAN tag of the captured traffic. My pretag.map looks like this: set_tag=2 vlan=10 jeq=eval_ifindexes set_tag=1 vlan=11 jeq=eval_ifindexes set_tag=2 vlan=20 jeq=eval_ifindexes set_tag=1 vlan=21 jeq=eval_ifindexes ... set_tag=999 filter='net 0.0.0.0/0' set_tag2=62 vlan=10 label=eval_ifindexes set_tag2=62 vlan=11 set_tag2=60 vlan=20 set_tag2=60 vlan=21 ... set_tag2=52 filter='net 0.0.0.0/0' My pmacct.conf looks like this: ... aggregate: src_host,dst_host,src_port,dst_port,proto,sampling_rate,vlan nfprobe_ifindex_override[prod]: true nfprobe_direction[prod]: tag nfprobe_ifindex[prod]: tag2 pre_tag_map: /etc/pmacct/pretag.map The problem I'm facing is as follows: It appears that the first set_tag and set_tag2 rules always apply. So all flows are tagged as "egress" and OutputInt is always set to 62, regardless of the vlan tag of the captured traffic. Also I do not understand how I could set both InputInt and OutputInt to a non-zero value. Thanks a lot in advance for any insight you can provide! Klaus ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
