Hi Thomas, Inline:
On Wed, May 28, 2014 at 07:47:45AM +0000, Thomas King wrote: > - From the documentation I reasoned that pmacct/nfacct is able to handle > IPFIX sampling. I use IPFIX sampling with a sampling rate of 10000. From the > results I see (pmacct or prng) the sampling rate is not recognised by > pmacct/nfacct. I also tried to configure the sampling rate by using the > configuration key nfacctd_ext_sampling_rate which did not resolve the issue. > Is there a know issue with recognising the sampling rate from the IPFIX data? > Or did I miss how to configure pmacct/nfacct correctly? One or multiple things may be happening here: * "nfacctd_renormalize: true" is not mentioned as part of the pmacct config. In which case pmacct will log sampling rate, if sampling_rate aggregation primitive is specified, but not apply it to counters. * You are using a pre 1.5.0rc3 release. In such release there was an improvement to handling of NetFlow/IPFIX options, from ChangeLog: ! fix, nfacctd: NetFlow v9/IPFIX sampling correlation has been improved by placing system scoped sampling options in a separate table. Such table is queried if no matching sampler ID is found for a given <exporter IP addr, source ID>. Sampling-related fields (ie. sampler ID, interval, etc.) are now all supported if 1, 2 or 4 bytes long. * Sampling information is not sent over by the router. This, in turn, can be because of a knob to enable on the router or due to a bug. Sniffing the raw IPFIX data and analizing with a tool like Wireshark can tell if it's the latter case. I'd be more than happy to help/support you with such analysis if we reckon all points in the direction of a bug. > - The aggregate configuration directive comes with various values. However, I > could not find a way to aggregate IPv4 and IPv6 traffic. Did I miss this in > the documentation? Or is it not supported by pmacct/nfacct? I believe i should be correct decoding "aggregate IPv4 and IPv6 traffic" as: you want to collect traffic per source, destination and/or source-destination MAC address and distinguish v4 vs v6 traffic. If this is correct then you need the 'etype' primitive on your aggregation method. A value of 0x800 means v4, a value of 0x86dd means v6. If my understanding is not correct, please elaborate more. > - I would like to generate rrd files for traffic going in and out of a MAC > address. I also would like to generate rrd files for the communication > between a MAC address and another MAC address (in and out). The configuration > of pmacct/nfacct is actually quite easy. However, I had difficulties to > generate the rrd files. I tried pnrg version 0.1 which is from 2006 and not > updated ever since. It also has problems with creating rrd files and graphs > based on MAC addresses. So I assume there should be a better solution than > pnrg to generate rrd files. What is the default way of generating rrd files > using pmacct/nfacct (I saw the section in the FAQ talking about rrd files, > but this is nothing I can use as I would like to generate thousands rrd files > :-))? Did you have difficulty injecting stats in RRD files or you had difficulty finding a tool that does it for you, ie. PNRG? If it's about the former case: you can elaborate more, maybe i (or anybody else on list) can help you. You are correct about PNRG: it is unsupported from about the time you mention, ie. 2006, and at this propo i'd welcome and support anybody willing to revemp that project. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists