Ok, I think I got it now (still not workin though), there where several wrong assumptions from my part:
- Next hop is only (logicaly) stored for outgoing packets - I am using nfsen (ncapd) to capture the flows, by default, nfcapd captures netflow v9 but only extensions 1 (input/output interface SNMP numbers) and 2 (src/dst AS numbers), the nex-hop ip address is extension 4. So I had to reconfigure nfsen so it added "-T +4" to the nfcapd daemon - A very nice way to debug the flow data is by using tshark (even on non standard ports): tshark -i eth1 host 192.168.1.22 -d udp.port==2591,cflow -s0 -V Thanks for all your help, Joan 2014-04-07 20:56 GMT+02:00 Paolo Lucente <[email protected]>: > Hi Joan, > > I've just tried to reproduce the issue with latest CVS with > no luck, ie. BGP next-hop information is inserted just fine. > > If you make a pcap capture of the NetFlow traffic produced > by nfprobe (or are able to debug NetFlow v9 templates in the > collector tool) do you reckon the BGP next-hop field is part > of the template (and hence left as 0.0.0.0)? > > Cheers, > Paolo > > On Mon, Apr 07, 2014 at 04:37:29PM +0200, Joan wrote: > > Just tried it, it seems that pmacct isn't yet adding th nexthop > > information, this is my current config, I added the > peer_src_ip,peer_dst_ip > > primitives and the nfacctd_net: file, maybe I'm missing something > > > > ! pmacctd configuration > > > > > > ! > > > > > > ! > > > > > > ! > > > > > > daemonize: true > > > > > > pidfile: /var/run/pmacctd.pid > > > > > > syslog: daemon > > > > > > ! > > > > > > ! interested in in and outbound traffic > > > > > > !aggregate: src_host,dst_host,dst_as,src_as,src_port,dst_port,proto,tos > > > > > > aggregate: > > > > src_host,dst_host,dst_as,src_as,src_port,dst_port,proto,tos,peer_src_ip,peer_dst_ip > > > > > > ! on this network > > > > > > !pcap_filter: net 0.0.0.0/0 > > > > > > ! on this interface > > > > > > interface: eth0 > > > > > > ! > > > > > > > > > > > > plugins: nfprobe > > > > > > networks_file: /etc/pmacct/networks.lst > > > > > > refresh_maps: true > > > nfprobe_receiver: 192.168.1.123:2591 > > > nfprobe_version: 9 > > > pmacctd_as: file > > > !added after last email > > > nfacctd_net: file > > > !plugin_pipe_size: 2048000 > > > !plugin_buffer_size: 2048 > > > plugin_pipe_size: 4096000 > > > plugin_buffer_size: 4096 > > > debug : false > > > > > > > > Sample file: > > > 123.123.123.123,17766,223.255.235.0/24 > > > 123.123.123.123,56000,223.255.236.0/24 > > > 123.123.123.123,56000,223.255.237.0/24 > > > 123.123.123.123,56000,223.255.238.0/24 > > > 123.123.123.123,56000,223.255.239.0/24 > > > 123.123.123.123,55649,223.255.240.0/22 > > > 123.123.123.123,55649,223.255.240.0/24 > > > 123.123.123.123,55649,223.255.241.0/24 > > > 123.123.123.123,55649,223.255.242.0/24 > > > 123.123.123.123,55649,223.255.243.0/24 > > > 123.123.123.123,45954,223.255.244.0/24 > > > 123.123.123.123,45954,223.255.245.0/24 > > > 123.123.123.123,45954,223.255.246.0/24 > > > 123.123.123.123,45954,223.255.247.0/24 > > > 123.123.123.123,55415,223.255.254.0/24 > > > > > > > > > > 2014-04-07 16:16 GMT+02:00 Joan <[email protected]>: > > > > > The date I've in the checkout folder is Feb, 17th, and it's probably > from > > > those days (also it's trunk code), I'll update to current head and > test it > > > again. > > > > > > > > > > > > 2014-04-05 4:22 GMT+02:00 Paolo Lucente <[email protected]>: > > > > > > Hi Joan, > > >> > > >> Can you confirm you do not run a CVS build past Feb, 5th > > >> and you want the BGP next-hop taken from a networks_file > > >> in conjunction with the nfprobe plugin? If yes, you should > > >> be sorted if downloading latest CVS: > > >> > > >> https://www.mail-archive.com/[email protected]/msg00981.html > > >> > > >> For the BGP next-hop to be taken from a networks_file you > > >> should also configure nfacctd_net to 'file': as you might > > >> see from docs that's the one influencing 'peer_dst_ip' (or > > >> BGP next-hop). Let me know if this is of help. > > >> > > >> Cheers, > > >> Paolo > > >> > > >> On Fri, Apr 04, 2014 at 11:39:28AM +0200, Joan wrote: > > >> > I am using a networks_file such as this, being the next hop > > >> > 123.123.123.123, I do have other bgp providers for other routes. > > >> > > > >> > 123.123.123.123,17766,223.255.235.0/24 > > >> > 123.123.123.123,56000,223.255.236.0/24 > > >> > 123.123.123.123,56000,223.255.237.0/24 > > >> > 123.123.123.123,56000,223.255.238.0/24 > > >> > 123.123.123.123,56000,223.255.239.0/24 > > >> > 123.123.123.123,55649,223.255.240.0/22 > > >> > 123.123.123.123,55649,223.255.240.0/24 > > >> > 123.123.123.123,55649,223.255.241.0/24 > > >> > 123.123.123.123,55649,223.255.242.0/24 > > >> > 123.123.123.123,55649,223.255.243.0/24 > > >> > 123.123.123.123,45954,223.255.244.0/24 > > >> > 123.123.123.123,45954,223.255.245.0/24 > > >> > 123.123.123.123,45954,223.255.246.0/24 > > >> > 123.123.123.123,45954,223.255.247.0/24 > > >> > 123.123.123.123,55415,223.255.254.0/24 > > >> > > > >> > > > >> > The issue I am having is that altough the AS numbers are properly > > >> > populated, the BGPNextHop field is always 0.0.0.0 > > >> > > > >> > I am using this aggregate list: > > >> > aggregate: > > >> > src_host,dst_host,dst_as,src_as,src_port,dst_port,proto,tos,peer_src_ip,peer_dst_ip > > >> > > > >> > > > >> > >From the config keys (http://wiki.pmacct.net/OfficialConfigKeys) i > > >> read: > > >> > > when 'true' ('file' being an alias of 'true') it instructs nfacctd > > >> and sfacctd to generate 'src_as' and 'dst_as' (only! ie. no peer-AS) > by > > >> looking up > > >> > > source and destination IP addresses against a networks_file > > >> > > > >> > So apparently it won't populate BGPNextHop when using networks file, > > >> > is that right? Is the only resort to get that information would be > to > > >> > have a bgp session stablished? > > >> > > > >> > _______________________________________________ > > >> > pmacct-discussion mailing list > > >> > http://www.pmacct.net/#mailinglists > > >> > > >> _______________________________________________ > > >> pmacct-discussion mailing list > > >> http://www.pmacct.net/#mailinglists > > >> > > > > > > >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
