Hi Stig, Very briefly to confirm: a) you are correct, libpcap captures both inbound and outbound traffic and b) the workaround you have put in place not only makes sense but is also by far the most efficient way to filter traffic out of pmacctd.
Cheers, Paolo On Tue, Aug 04, 2009 at 10:39:00AM -0700, Stig Thormodsrud wrote: > I notice with multiple interfaces that I get duplicate flows. If I recall > correctly a cisco router does netflow only on input while it seems pcap > captures both inbound & outbound packets. My work around to filter out > the output flows was to use a pcap_filter such as: > > ! > daemonize: true > promisc: false > pidfile: /var/run/pmacctd-eth0.pid > imt_path: /tmp/pmacctd-eth0.pipe > plugins: nfprobe, memory > aggregate: src_host,dst_host,src_port,dst_port,proto,tos,flows,tag > interface: eth0 > syslog: daemon > ! filter out packets with the mac address of eth0 > pcap_filter: !ether src 00:0c:29:8c:53:7c > nfprobe_receiver: 172.16.117.25:2100 > nfprobe_version: 5 > nfprobe_engine: 1:2 > post_tag: 2 > > > Is this the approach others are using with multiple interfaces or is there > a better way? > > Thanks, > > stig _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
