Hi Inge, Glad to read back from you. I think you are hitting a classic limit of pcap filters: to match something a packet/flow within a VLAN the filter should be 'vlan and ip' (to say: any IP packet/flow within any vlan). pcap filters write a BPF program: i've not been able to find a way to make a single filter to comprise both vlan-tagged and non vlan-tagged traffic so the only solution that appears to work to me is:
id=220 ip=a.b.c.d filter='ip' id=230 ip=a.b.d.e filter='ip' id=220 ip=a.b.c.d filter='vlan and ip' id=230 ip=a.b.d.e filter='vlan and ip' Cheers, Paolo On Thu, Apr 16, 2015 at 11:07:56AM +0000, Inge Bjørnvall Arnesen wrote: > Hi all, > > I've been using this software for a number of years, but this year is the > first time I've tried to set it (here 1.5.0 and later 1.5.1) up with Ipfix > (V10) reporting (Juniper) and I've come across a strange problem. When > looking at flows with: > > aggregate[inmem]: dst_host, in_iface,out_iface,vlan > > and no aggregate_filter or filtering in pretag.map, I see all flows coming in > from all reporting interfaces and with their various VLAN tags. As soon as I > create a filter (any positive filter that require IP- either in pretag.map or > using aggregate_filter), all flows where the VLAN ID field is non-zero is > filtered away from the flows reported by nfacctd. E.g. with a pretag.map with > (variables used here to hide real IPs): > > > ----------------------------- > id=220 ip=a.b.c.d > id=230 ip=a.b.d.e > ----------------------------- > > and nfacctd.conf containing: > > ----------------------------- > pre_tag_filter[outmem]: 220,230 > aggregate[outmem]: src_host, in_iface,out_iface,vlan > ----------------------------- > > > I see all traffic for all flows, but if I change pretag.map to: > > ----------------------------- > id=220 ip=a.b.c.d filter='ip' > id=230 ip=a.b.d.e filter='ip' > ----------------------------- > > Only flows where VLAN is 0 is shown: > > [root@bf-netflow01 sbin]# pmacct -s -p /tmp/pmacct_out.pipe | head -n 6 > IN_IFACE OUT_IFACE VLAN SRC_IP PACKETS BYTES > 556 577 0 141.136.112.53 500 20000 > 556 577 0 85.114.2.251 500 750000 > 556 577 0 95.153.164.152 500 26000 > 556 577 0 84.18.126.21 500 254000 > 556 577 0 79.110.18.161 500 41500 > ..... > > All others appear to be somehow lost in filtering. Of course, using 'ip' as a > filter is just to illustrate the problem - I usually filter on src net (which > also requires positive IP filtering). > > If I change the pretag filter to: > ----------------------------- > id=220 ip=a.b.c.d filter='not ip' > id=230 ip=a.b.d.e filter='not ip' > ----------------------------- > > I only see flows where the VLAN number is non-zero: > > [root@bf-netflow01 sbin]# pmacct -s -p /tmp/pmacct_out.pipe | head -n 6 > IN_IFACE OUT_IFACE VLAN SRC_IP PACKETS BYTES > 554 511 3334 194.76.246.132 500 730000 > 554 511 3334 109.68.89.199 500 26000 > 511 554 3335 109.74.179.138 500 750000 > 511 556 3335 194.76.246.18 18000 12336000 > 511 556 3335 79.171.81.64 39500 2618500 > ..... > > The src_host field strangely contains the correct source IP even though I > filter for 'not ip'. Note that if I substitute the filter 'ip' with 'src net > 128.0.0.0/1', the same situation occurs - only flows with VLAN ID zero are > shown, but if I substitute 'not ip' with e.g. 'not src net 128.0.0.0/1', > flows are shown regardless of VLAN ID. > > Any idea on what might be the issue here or how I might patch around this > issue in the source? > > Regards, > > > n Inge > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
