Hi all, I've been using this software for a number of years, but this year is the first time I've tried to set it (here 1.5.0 and later 1.5.1) up with Ipfix (V10) reporting (Juniper) and I've come across a strange problem. When looking at flows with:
aggregate[inmem]: dst_host, in_iface,out_iface,vlan and no aggregate_filter or filtering in pretag.map, I see all flows coming in from all reporting interfaces and with their various VLAN tags. As soon as I create a filter (any positive filter that require IP- either in pretag.map or using aggregate_filter), all flows where the VLAN ID field is non-zero is filtered away from the flows reported by nfacctd. E.g. with a pretag.map with (variables used here to hide real IPs): ----------------------------- id=220 ip=a.b.c.d id=230 ip=a.b.d.e ----------------------------- and nfacctd.conf containing: ----------------------------- pre_tag_filter[outmem]: 220,230 aggregate[outmem]: src_host, in_iface,out_iface,vlan ----------------------------- I see all traffic for all flows, but if I change pretag.map to: ----------------------------- id=220 ip=a.b.c.d filter='ip' id=230 ip=a.b.d.e filter='ip' ----------------------------- Only flows where VLAN is 0 is shown: [root@bf-netflow01 sbin]# pmacct -s -p /tmp/pmacct_out.pipe | head -n 6 IN_IFACE OUT_IFACE VLAN SRC_IP PACKETS BYTES 556 577 0 141.136.112.53 500 20000 556 577 0 85.114.2.251 500 750000 556 577 0 95.153.164.152 500 26000 556 577 0 84.18.126.21 500 254000 556 577 0 79.110.18.161 500 41500 ..... All others appear to be somehow lost in filtering. Of course, using 'ip' as a filter is just to illustrate the problem - I usually filter on src net (which also requires positive IP filtering). If I change the pretag filter to: ----------------------------- id=220 ip=a.b.c.d filter='not ip' id=230 ip=a.b.d.e filter='not ip' ----------------------------- I only see flows where the VLAN number is non-zero: [root@bf-netflow01 sbin]# pmacct -s -p /tmp/pmacct_out.pipe | head -n 6 IN_IFACE OUT_IFACE VLAN SRC_IP PACKETS BYTES 554 511 3334 194.76.246.132 500 730000 554 511 3334 109.68.89.199 500 26000 511 554 3335 109.74.179.138 500 750000 511 556 3335 194.76.246.18 18000 12336000 511 556 3335 79.171.81.64 39500 2618500 ..... The src_host field strangely contains the correct source IP even though I filter for 'not ip'. Note that if I substitute the filter 'ip' with 'src net 128.0.0.0/1', the same situation occurs - only flows with VLAN ID zero are shown, but if I substitute 'not ip' with e.g. 'not src net 128.0.0.0/1', flows are shown regardless of VLAN ID. Any idea on what might be the issue here or how I might patch around this issue in the source? Regards, n Inge
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
