Paolo,
2012/8/29 Paolo Lucente <[email protected]> > Hi Leonardo, > > Correct, that was a mistake in my example. If your NetFlow exporter is > 192.168.10.1 then you can write it as, say: > > id=1 ip=192.168.10.1 filter='dst net 192.168.0.0/16' > id=2 ip=192.168.10.1 filter='src net 192.168.0.0/16' > > But also your example which bases on ingress interface ifIndex should > be good enough - ane lighter than matching a filter. Quoting your email: > > > So, I changed the pretag.map as follows, but nothing happens. The tag > > column is always set as '0': > > > > id=1 ip=192.168.10.1 in=1 > > id=2 ip=192.168.10.1 in=2 > > Do you actually see tuples in the database correctly populeted with > in_iface values of 1 or 2 and tag value of 0? > > Yes, I do. See below: mysql> select distinct tag, iface_in, count(*) from acct_v8_in group by 1,2; +-----+----------+----------+ | tag | iface_in | count(*) | +-----+----------+----------+ | 0 | 1 | 142655 | | 0 | 2 | 32 | | 0 | 3 | 31 | | 0 | 4 | 27 | +-----+----------+----------+ And using the following pretag.map I also got the tag value of 0. Do you know what is missing? id=1 ip=192.168.10.1 filter='src net 192.168.0.0/16' id=2 ip=192.168.10.1 filter='dst net 192.168.0.0/16' Thanks -- Atenciosamente Leonardo Augusto Sápiras [http://www.leonardosapiras.com.br] > Cheers, > Paolo > > On Tue, Aug 28, 2012 at 05:59:57PM -0300, Leonardo S?piras wrote: > > Hi Paolo, > > > > I tried to use the pre tag map, but pmacct returns some errors. In the > > first attempt, using the following pretag.map content: > > > > id=1 filter='dst net 192.168.0.0/16' > > id=2 filter='src net 192.168.0.0/16' > > > > the pmacct returns: > > > > Aug 27 18:30:24 INFO ( default/core ): Trying to (re)load map: > > /etc/pmacct/pretag.map > > Aug 27 18:30:24 ERROR ( /etc/pmacct/pretag.map ): required key missing at > > line: 1. Required keys are: 'id', 'ip'. > > Aug 27 18:30:24 ERROR ( /etc/pmacct/pretag.map ): required key missing at > > line: 2. Required keys are: 'id', 'ip'. > > Aug 27 18:30:24 INFO ( default/core ): map '/etc/pmacct/pretag.map' > > successfully (re)loaded. > > > > So, I changed the pretag.map as follows, but nothing happens. The tag > > column is always set as '0': > > > > id=1 ip=192.168.10.1 in=1 > > id=2 ip=192.168.10.1 in=2 > > > > > > I am using NetFlow (v5), and below is my pmacct.conf: > > > > interface: eth0 > > daemonize: true > > aggregate[inbound]: src_host, dst_host, src_port, dst_port, class, > src_mac, > > dst_mac, tcpflags, proto, tos, flows, peer_src_ip, in_iface,tag > > aggregate[outbound]: src_host, dst_host, src_port, dst_port, class, > > src_mac, dst_mac, tcpflags, proto, tos, flows, peer_src_ip, in_iface,tag > > aggregate_filter[inbound]: dst net 192.168.0.0/16 > > aggregate_filter[outbound]: src net 192.168.0.0/16 > > plugins: mysql[inbound], mysql[outbound] > > classifiers: /etc/pmacct/classifiers/ > > logfile: /var/log/pmacctd_in_out.log > > nfacctd_port: 5678 > > sql_db[inbound]: pmacct_in_out > > sql_db[outbound]: pmacct_in_out > > sql_table[inbound]: acct_v8_in > > sql_table[outbound]: acct_v8_in > > sql_user: zzz > > sql_passwd: xxx > > sql_refresh_time: 300 > > sql_dont_try_update: true > > nfacctd_time_new: true > > sql_use_copy: true > > sql_optimize_clauses: true > > sql_history: 5m > > sql_history_roundoff: h > > pre_tag_map: /etc/pmacct/pretag.map > > > > > > Do you know what I am doing wrong? > > > > Thanks! > > > > > > > > -- > > Atenciosamente > > Leonardo Augusto S?piras > > [http://www.leonardosapiras.com.br] > > > > > > 2012/8/24 Paolo Lucente <[email protected]> > > > > > Hi Leonardo, > > > > > > You can use pre-tagging (pre_tag_map) to do it. How simple or how > tricky > > > this is depends on the NetFlow version and exporter: 1) NetFlow v9 and > > > IPFIX > > > have a direction field (0 = ingress, 1 = egress): if you use either > version > > > and your NetFlow probe supports it then it's easy. Otherwise you have > two > > > further options, similar to each other, both less clean imho: 2) rely > on a > > > (router) MAC address known to be local or 3) rely on IP class(es) > known to > > > be local. pre_tag_map Example for a pre_tag_map for 1) is as follows: > > > > > > id=0 direction=0 > > > id=1 direction=1 > > > > > > Example for 3) is as follows - you can derive 2) from it: > > > > > > id=0 filter='dst net <localnet A> or dst net <localnet B> ..' > > > id=0 filter='src net <localnet A> or src net <localnet B> ..' > > > > > > Then in the config file you define to use a pre_tag_file and add to the > > > existing 'aggregate' directive the 'tag' keyword. Then in the database > if > > > a tuple has 'tag' 0 is inbound traffic otherwise (ie. if it's 1) then > it's > > > outbound traffic: > > > > > > ... > > > pre_tag_map: /path/to/pretag.map > > > aggregate: tag, .. > > > ... > > > > > > Cheers, > > > Paolo > > > > > > On Thu, Aug 23, 2012 at 06:19:38PM -0300, Leonardo S?piras wrote: > > > > Hi, > > > > > > > > How can I classify inbound and outbound data using NetFlow and the > same > > > > table? > > > > > > > > Cheers! > > > > > > > > -- > > > > Atenciosamente > > > > Leonardo Augusto S?piras > > > > [http://www.leonardosapiras.com.br] > > > > > > > _______________________________________________ > > > > pmacct-discussion mailing list > > > > http://www.pmacct.net/#mailinglists > > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
