Hi Paolo, I tried to use the pre tag map, but pmacct returns some errors. In the first attempt, using the following pretag.map content:
id=1 filter='dst net 192.168.0.0/16' id=2 filter='src net 192.168.0.0/16' the pmacct returns: Aug 27 18:30:24 INFO ( default/core ): Trying to (re)load map: /etc/pmacct/pretag.map Aug 27 18:30:24 ERROR ( /etc/pmacct/pretag.map ): required key missing at line: 1. Required keys are: 'id', 'ip'. Aug 27 18:30:24 ERROR ( /etc/pmacct/pretag.map ): required key missing at line: 2. Required keys are: 'id', 'ip'. Aug 27 18:30:24 INFO ( default/core ): map '/etc/pmacct/pretag.map' successfully (re)loaded. So, I changed the pretag.map as follows, but nothing happens. The tag column is always set as '0': id=1 ip=192.168.10.1 in=1 id=2 ip=192.168.10.1 in=2 I am using NetFlow (v5), and below is my pmacct.conf: interface: eth0 daemonize: true aggregate[inbound]: src_host, dst_host, src_port, dst_port, class, src_mac, dst_mac, tcpflags, proto, tos, flows, peer_src_ip, in_iface,tag aggregate[outbound]: src_host, dst_host, src_port, dst_port, class, src_mac, dst_mac, tcpflags, proto, tos, flows, peer_src_ip, in_iface,tag aggregate_filter[inbound]: dst net 192.168.0.0/16 aggregate_filter[outbound]: src net 192.168.0.0/16 plugins: mysql[inbound], mysql[outbound] classifiers: /etc/pmacct/classifiers/ logfile: /var/log/pmacctd_in_out.log nfacctd_port: 5678 sql_db[inbound]: pmacct_in_out sql_db[outbound]: pmacct_in_out sql_table[inbound]: acct_v8_in sql_table[outbound]: acct_v8_in sql_user: zzz sql_passwd: xxx sql_refresh_time: 300 sql_dont_try_update: true nfacctd_time_new: true sql_use_copy: true sql_optimize_clauses: true sql_history: 5m sql_history_roundoff: h pre_tag_map: /etc/pmacct/pretag.map Do you know what I am doing wrong? Thanks! -- Atenciosamente Leonardo Augusto Sápiras [http://www.leonardosapiras.com.br] 2012/8/24 Paolo Lucente <[email protected]> > Hi Leonardo, > > You can use pre-tagging (pre_tag_map) to do it. How simple or how tricky > this is depends on the NetFlow version and exporter: 1) NetFlow v9 and > IPFIX > have a direction field (0 = ingress, 1 = egress): if you use either version > and your NetFlow probe supports it then it's easy. Otherwise you have two > further options, similar to each other, both less clean imho: 2) rely on a > (router) MAC address known to be local or 3) rely on IP class(es) known to > be local. pre_tag_map Example for a pre_tag_map for 1) is as follows: > > id=0 direction=0 > id=1 direction=1 > > Example for 3) is as follows - you can derive 2) from it: > > id=0 filter='dst net <localnet A> or dst net <localnet B> ..' > id=0 filter='src net <localnet A> or src net <localnet B> ..' > > Then in the config file you define to use a pre_tag_file and add to the > existing 'aggregate' directive the 'tag' keyword. Then in the database if > a tuple has 'tag' 0 is inbound traffic otherwise (ie. if it's 1) then it's > outbound traffic: > > ... > pre_tag_map: /path/to/pretag.map > aggregate: tag, .. > ... > > Cheers, > Paolo > > On Thu, Aug 23, 2012 at 06:19:38PM -0300, Leonardo S?piras wrote: > > Hi, > > > > How can I classify inbound and outbound data using NetFlow and the same > > table? > > > > Cheers! > > > > -- > > Atenciosamente > > Leonardo Augusto S?piras > > [http://www.leonardosapiras.com.br] > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
