Hi Paul, This is best investigated with the NetFlow trace at hand; if you can send it over privately, that would be a great start. The smaller you make the trace in order to reproduce the issue the better is.
Cheers, Paolo On Tue, Apr 14, 2015 at 11:33:29PM +0000, Paul Lockaby wrote: > Hello, I just started looking at pmacct/nfacct to use in an upgrade to our > billing system. After using it for a while I've found that it is reporting, > quite often, completely invalid values for in_iface/out_iface. I noticed that > the interface indexes didn't exist at all on our routers. To make completely > sure I didn't screw something up I recorded ten minutes of traffic aggregated > with nfacctd and also recorded with wireshark. The original data, which is > netflow v5 coming from a juniper mx480 running junos 12.3R6.6, contains no > references to the interface indexes that nfacctd says it is seeing. Here is > my configuration: > > > plugins: print > aggregate: peer_src_ip,in_iface,out_iface,src_host,dst_host > nfacctd_renormalize: true > nfacctd_disable_checks: true > > print_refresh_time: 300 > print_history: 5m > print_output: csv > print_output_file: /data/netflow/sites/originals/netflow-%Y%m%d-%H%M-%s.csv > print_output_file_append: true > print_history_roundoff: m > files_umask: 002 > > # listen on the netflow port > nfacctd_ip: 127.0.0.1 > nfacctd_port: 5557 > > I have the wireshark traces and the CSV files that nfacctd wrote. I'm really > quite confused as to how this is happening. Thanks for any pointers. > Otherwise this software is exactly perfect for my task and will ultimately > save me a lot of time that I would have otherwise spent trying to decipher > IPFIX when we finally get around to upgrading to that. > > -Paul > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
