Hi Thomas,
Inline:
On Wed, May 28, 2014 at 07:47:45AM +0000, Thomas King wrote:
> - From the documentation I reasoned that pmacct/nfacct is able to handle
> IPFIX sampling. I use IPFIX sampling with a sampling rate of 10000. From the
> results I see (pmacct or prng) the sampling rate is not recognised by
> pmacct/nfacct. I also tried to configure the sampling rate by using the
> configuration key nfacctd_ext_sampling_rate which did not resolve the issue.
> Is there a know issue with recognising the sampling rate from the IPFIX data?
> Or did I miss how to configure pmacct/nfacct correctly?
One or multiple things may be happening here:
* "nfacctd_renormalize: true" is not mentioned as part of the
pmacct config. In which case pmacct will log sampling rate,
if sampling_rate aggregation primitive is specified, but not
apply it to counters.
* You are using a pre 1.5.0rc3 release. In such release there
was an improvement to handling of NetFlow/IPFIX options, from
ChangeLog:
! fix, nfacctd: NetFlow v9/IPFIX sampling correlation has been improved by
placing system scoped sampling options in a separate table. Such table is
queried if no matching sampler ID is found for a given <exporter IP addr,
source ID>. Sampling-related fields (ie. sampler ID, interval, etc.) are
now all supported if 1, 2 or 4 bytes long.
* Sampling information is not sent over by the router. This,
in turn, can be because of a knob to enable on the router or
due to a bug. Sniffing the raw IPFIX data and analizing with
a tool like Wireshark can tell if it's the latter case. I'd
be more than happy to help/support you with such analysis if
we reckon all points in the direction of a bug.
> - The aggregate configuration directive comes with various values. However, I
> could not find a way to aggregate IPv4 and IPv6 traffic. Did I miss this in
> the documentation? Or is it not supported by pmacct/nfacct?
I believe i should be correct decoding "aggregate IPv4 and IPv6
traffic" as: you want to collect traffic per source, destination
and/or source-destination MAC address and distinguish v4 vs v6
traffic. If this is correct then you need the 'etype' primitive
on your aggregation method. A value of 0x800 means v4, a value
of 0x86dd means v6. If my understanding is not correct, please
elaborate more.
> - I would like to generate rrd files for traffic going in and out of a MAC
> address. I also would like to generate rrd files for the communication
> between a MAC address and another MAC address (in and out). The configuration
> of pmacct/nfacct is actually quite easy. However, I had difficulties to
> generate the rrd files. I tried pnrg version 0.1 which is from 2006 and not
> updated ever since. It also has problems with creating rrd files and graphs
> based on MAC addresses. So I assume there should be a better solution than
> pnrg to generate rrd files. What is the default way of generating rrd files
> using pmacct/nfacct (I saw the section in the FAQ talking about rrd files,
> but this is nothing I can use as I would like to generate thousands rrd files
> :-))?
Did you have difficulty injecting stats in RRD files or you had
difficulty finding a tool that does it for you, ie. PNRG? If
it's about the former case: you can elaborate more, maybe i (or
anybody else on list) can help you. You are correct about PNRG:
it is unsupported from about the time you mention, ie. 2006, and
at this propo i'd welcome and support anybody willing to revemp
that project.
Cheers,
Paolo
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
