I notice with multiple interfaces that I get duplicate flows. If I recall correctly a cisco router does netflow only on input while it seems pcap captures both inbound & outbound packets. My work around to filter out the output flows was to use a pcap_filter such as:
! daemonize: true promisc: false pidfile: /var/run/pmacctd-eth0.pid imt_path: /tmp/pmacctd-eth0.pipe plugins: nfprobe, memory aggregate: src_host,dst_host,src_port,dst_port,proto,tos,flows,tag interface: eth0 syslog: daemon ! filter out packets with the mac address of eth0 pcap_filter: !ether src 00:0c:29:8c:53:7c nfprobe_receiver: 172.16.117.25:2100 nfprobe_version: 5 nfprobe_engine: 1:2 post_tag: 2 Is this the approach others are using with multiple interfaces or is there a better way? Thanks, stig _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
