Hi Paolo
Yes! It works now:
SRC_MAC DST_MAC VLAN ETYPE
PACKETS BYTES
00:1b:ed:ae:8d:00 d4:85:64:50:5c:60 50 86dd
7 657
Thank you very much.
Kind regards
Matej
On 12. 12. 2014 00:26, Paolo Lucente wrote:
Hi Matej,
Thanks a lot for your support.
Looking at the trace, your switch is sending VLAN ID using NetFlow v9/
IPFIX element #243. This was not supported natively. Now it is and
code for it is in the CVS for you to check out. Log from the CVS for
this:
http://www.mail-archive.com/[email protected]/msg01282.html
I've tested it working, just let me know if it appears to work for you
too or you run into any further issue.
Cheers,
Paolo
On Wed, Dec 10, 2014 at 07:51:35PM +0100, Matej Vadnjal wrote:
Hello
First of a big thanks to Paolo for a great tool.
I do have a question though.
I can't get pmacct to show VLAN IDs of layer 2 flexible netflow
records. I'm exporting from a Cisco 4500X switch.
VLAN field in nfacctd is always 0, though it is set correctly in
exported flow packets. I'm not sure if I need to configure something
or if support for this field needs to be coded in pmacct?
I have attached a sample PCAP that contains the Netflow template and
a flow record.
This is my IOS config for flow record:
flow record MemberP2P
match datalink mac source address input
match datalink mac destination address input
match datalink ethertype
match datalink dot1q vlan input
match interface input
collect interface output
collect counter bytes long
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Here is a debug output from nfacctd collector:
# pmacct-1.5.0/src/nfacctd -d -L a.b.c.d -l 1555 -P print -r 10 -c
src_mac,dst_mac,etype,vlan
DEBUG ( cmdline ): plugin name/type: 'default'/'core'.
DEBUG ( cmdline ): plugin name/type: 'default'/'print'.
DEBUG ( cmdline ): debug:true
DEBUG ( cmdline ): nfacctd_ip:a.b.c.d
DEBUG ( cmdline ): nfacctd_port:1555
DEBUG ( cmdline ): sql_refresh_time:10
DEBUG ( cmdline ): aggregate:src_mac,dst_mac,etype,vlan
INFO ( default/core ): Reading configuration from cmdline.
INFO ( default/print ): plugin_pipe_size=4096000 bytes
plugin_buffer_size=200 bytes
INFO ( default/print ): ctrl channel: obtained=212992 bytes
target=163840 bytes
INFO ( default/core ): waiting for NetFlow data on a.b.c.d:1555
DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R:
unknown template 256 [e.f.g.h:0])
DEBUG ( default/core ): NfV9 agent : e.f.g.h:0
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 256
DEBUG ( default/core ):
-----------------------------------------------------
DEBUG ( default/core ): | pen | field type | offset |
size |
DEBUG ( default/core ): | 0 | input snmp | 0 |
4 |
DEBUG ( default/core ): | 0 | 256 | 4 |
2 |
DEBUG ( default/core ): | 0 | 243 | 6 |
2 |
DEBUG ( default/core ): | 0 | in src mac | 8 |
6 |
DEBUG ( default/core ): | 0 | in dst mac | 14 |
6 |
DEBUG ( default/core ): | 0 | in packets | 20 |
4 |
DEBUG ( default/core ): | 0 | first switched | 24 |
4 |
DEBUG ( default/core ): | 0 | last switched | 28 |
4 |
DEBUG ( default/core ): | 0 | output snmp | 32 |
4 |
DEBUG ( default/core ): | 0 | in bytes | 36 |
8 |
DEBUG ( default/core ):
-----------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 44
DEBUG ( default/core ):
INFO ( default/print ): *** Purging cache - START (PID: 19349) ***
SRC_MAC DST_MAC VLAN ETYPE PACKETS
BYTES
00:1b:ed:ae:8d:00 d4:85:64:50:5c:60 0 806 1 94
INFO ( default/print ): *** Purging cache - END (PID: 19349, QN:
54/54, ET: 0) ***
Best regards
Matej Vadnjal
Arnes
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
