Hi Jim,
> I have been testing pmacct quite a bit and, using the primitives as you
> and the docs describe, I have been able to separate the in/out traffic and
> filter it. I can do this with the print plugin and the postgresql plugin.
>
> The netflow and sflow plugins work slightly differently from each other,
> but neither quite right.
>
> When I use my Cisco 7200 series router to generate netflow data and point
> it at my software (in this case, Netflow Analyzer from Manage Engine) the
> software accepts the stream, logs the data and and draws a single graph
> for each interface. The single graph has both the "in" traffic and the
> "out" traffic graphed all on a single graph.
I think you must set appropriate parameters on your routers as we do for
'nfprobe' plugin:
KEY: nfprobe_engine
DESC: allows to define Engine ID and Engine Type fields. It applies only to
NetFlow v5 and v9. In v9, the supplied value fills last two bytes of
SourceID
field. Expects two non-negative numbers, up to 255 each and separated by the
":" symbol.
!!! It also allows a collector to distinguish between distinct probe
instances running on the same box; this is also important for letting
NetFlow v9 templates to work correctly: in fact, template IDs get
automatically
selected only inside single daemon instances. (default: 0:0) !!!
> So here is my problem. Let's say I have eth0 on my PC based router.
> Setting up pmacct as you describe and using the netflow plugin does result
> in a netlow stream I can direct to my collector software. However, the
> same software now draws a graph with all the traffic from that interface
> as "in" and shows no traffic as "out." The in appears to be a combination
> of the in and out traffic.
Sorry, i don't understand about what software ("collector", "same") you
tell. Is this not 'pmacct'?
> The sflow plugin works slightly differently. Using sflow, the software
> will draw one graph for "in" and another graph for "out" treating the two
> as separate interfaces.
>
> If I try to monitor several interfaces, say eth0, eth1 and eth2, the
> netflow plugin seems to produce a flow that only reports a single
> interface, while the sflow plugin reports all three interfaces to the
> software. Still, I can't get in and out data on the same graph.
>
> It seems I am not the only person having this problem. There was a little
> discussion of it on the Netflow Analyzer forum:
>
> http://forums.adventnet.com/viewtopic.php?t=355981
>
>>From looking at the data, pmacct clearly knows what traffic is in and what
> is out. From the reading I have done it seems that the software that
> collects the data wants separate flows for each direction that refer to
> the same interface.
>
> So, is it possible to make pmacct generate separate flows for in and out
> for the same interface?
Yes, of course, i am using it so now. If you set 'memory' plugin and
start
'pmacctd' daemon in debug mode:
debug: true
daemonize: false
plugins: memory[in], memory[out]
you can see as it create different flows and collect data to them
separately
for in and out traffic (if you have relative settings).
Alex
------
Кредит на развитие бизнеса! Индивидуальным предпринимателям и юр. лицам.
Специальные предложения: 'Кредит на приобретение коммерческого автомобиля',
'Кредит руководителю'. Белросбанк, (017)287-66-97, http://www.belrosbank.by
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
