Matej it applies to the MAC address of the packets received by cento, not to the MAC of the NIC receiving them
Luca > On 1 Dec 2017, at 10:55, Matěj Grégr <[email protected]> wrote: > > Hi Luca, > it's mirrored traffic. Does --if-networks option apply only for > traffic originated/received by the machine? > > M. > > On 12/01/2017 10:40 AM, Luca Deri wrote: >> Matěj, >> the problem of -b is that the rest of the CLI was not parsed. >> >> What type of traffic did you attach to fge1? Is traffic >> originated/received by the machine or is traffic mirrored to it? Can you >> please check this? >> >> Thanks Luca >> >> On 11/23/2017 09:42 PM, Matěj Grégr wrote: >>> Hello Luca, >>> hm, I don't see any difference. I tried to run cento from command line >>> using the following command: >>> >>> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1 >>> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>> >>> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5. >>> However, I still see input and output interface set to 1 and 2. >>> >>> Tried also with --if-networks @cento-networks >>> # cat cento-networks >>> 68:05:CA:34:89:C0@5 >>> >>> But without success. >>> >>> M. >>> >>> On 21.11.2017 14:13, Luca Deri wrote: >>>> Hi Matěj, >>>> >>>> please change >>>> >>>> D=0 >>>> --syslog=cento >>>> -b *<=== REMOVE* >>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>>> >>>> >>>> (remove -b) >>>> >>>> and it will work >>>> >>>> Regards Luca >>>> >>>> On 11/20/2017 05:21 PM, Matěj Grégr wrote: >>>>> Hello Luca, >>>>> I tried to use the following cento.conf: >>>>> >>>>> # cat /etc/cento/cento.conf >>>>> -p=/var/run/cento.pid >>>>> -t=30 >>>>> -d=20 >>>>> -9=x.x.x.x:9998 >>>>> -i=fge1 >>>>> -i=fge2 >>>>> -g=0,1 >>>>> -G=2,3 >>>>> -D=0 >>>>> --syslog=cento >>>>> -b >>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>>>> >>>>> M. >>>>> >>>>> On 20.11.2017 12:17, Luca Deri wrote: >>>>>> Matej, >>>>>> can you please share the flow command line you are using? >>>>>> >>>>>> Luca >>>>>> >>>>>>> On 18 Nov 2017, at 21:21, Matěj Grégr <[email protected]> wrote: >>>>>>> >>>>>>> Hello, >>>>>>> following and older thread: >>>>>>> >>>>>>> On 10.02.2017 14:54, Luca Deri wrote: >>>>>>>> Hi Jesse >>>>>>>> please see below >>>>>>>> >>>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote: >>>>>>>>> First issue: >>>>>>>>> We are using cento to send netflow to multiple collectors for >>>>>>>>> analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We >>>>>>>>> are sending as version 5 netflow, which has a field for the interface. >>>>>>>>> >>>>>>>>> Bytes 12-13, and 14-15 in the flow record >>>>>>>>> 12-13 | input | SNMP index of input interface >>>>>>>>> 14-15 | output | SNMP index of output interface >>>>>>>>> All of the flow packets are coming through with either "1" or "2" for >>>>>>>>> those values, which is causing problems with our Kentik service and >>>>>>>>> an internal collector. >>>>>>>>> >>>>>>>>> It appears this has been brought up before, but there isn't a >>>>>>>>> solution mentioned. >>>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/ >>>>>>>>> >>>>>>>>> How do we get cento to correctly report the interface ID? >>>>>>>> In the current cento (devel) you can do >>>>>>>> --iface-id <in>:<out> | Set input/output interfaceId >>>>>>>> in exported flows >>>>>>>> where >>>>>>>> - interface indexes and (router) MAC/IP addresses >>>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers >>>>>>>> for emitted flows. >>>>>>>> However using --if-networks it is possible to specify an interface >>>>>>>> identifier to which >>>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is: >>>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated >>>>>>>> by a comma (,). >>>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or >>>>>>>> --if-networks @<filename> where <filename> is a file path containing >>>>>>>> the networks >>>>>>>> specified using the above format. >>>>>>>> >>>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from >>>>>>> cento are exported with if interface 1, out interface 2. >>>>>>> >>>>>>> I mirror traffic from router to the following two interfaces on cento >>>>>>> box: >>>>>>> >>>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq >>>>>>> state UP mode DEFAULT qlen 1000 >>>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff >>>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq >>>>>>> state UP mode DEFAULT qlen 1000 >>>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff >>>>>>> >>>>>>> I tried to set the interface indexes to 5 and 6 using: >>>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6" >>>>>>> >>>>>>> However, I still see only 1 for incomming and 2 for outgoing index in >>>>>>> flow data: >>>>>>> >>>>>>> Flow Record: >>>>>>> Flags = 0x00 FLOW, Unsampled >>>>>>> <snip> >>>>>>> input = 1 >>>>>>> output = 2 >>>>>>> >>>>>>> Running cento --version >>>>>>> v.1.3.171116 >>>>>>> >>>>>>> Any idea what I am doing wrong? >>>>>>> >>>>>>> Thanks, >>>>>>> Matej >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>> >>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> >> >> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
