Hi Rob, I see. Can you confirm which version are you running? If you are not running a code >= 1.5.1, can you please do so? If you are, can you check if you get same behaviour with 1.5.0? I'd essentially like to confirm whether something broke up or got fixed in the last release.
Cheers, Paolo On Sat, May 23, 2015 at 10:43:34AM +0100, Rob Greenwood wrote: > Hi Paolo, > > No we currently don’t have prefixes as part of our aggregation. > networks_file_filter is also not specified in the config. > > Adding 'nfacctd_net: fallback' changes the behaviour to be even weirder… > > Some (not all) flows are now marked with the correct AS, but only as_dst is > updated - we still see lots of iBGP prefix flows with as_src as 0. > > eBGP prefix flows are no longer set to AS0 with 'nfacctd_net: fallback' > however. > > Config as follows; > > ## nfacctd.conf ## > ! Global daemon > daemonize: true > syslog: daemon > > ! BGP daemon > !bgp_daemon: true > !bgp_daemon_max_peers: 2 > !bgp_aspath_radius: 3 > !bgp_daemon_md5_file: /opt/pmacct/etc/bgp_md5.lst > > ! Temporarily pull in iBGP networks data from file until BGP is up > networks_file: /opt/pmacct/etc/networks.lst > nfacctd_as_new: fallback > nfacctd_net: fallback > > ! Netflow input plugin > nfacctd_port: 2055 > nfacctd_disable_checks: true > > ! AMQP output daemon > amqp_host: localhost > amqp_user: pmacct > amqp_passwd: xxxx > amqp_vhost: /pmacct > amqp_exchange: pmacct > amqp_persistent_msg: true > > ! Plugin definitions > plugins: amqp[elk_1min] > > ! 1 minutely aggregates into ELK via amqp > aggregate[elk_1min]: src_as, dst_as, src_host, dst_host, src_port, dst_port, > proto > amqp_routing_key[elk_1min]: acct > amqp_history[elk_1min]: 1m > amqp_time_roundoff[elk_1min]: m > amqp_refresh_time[elk_1min]: 60 > > ## networks.lst ## > 62212,185.43.216.0/22 > > -Rob > > > On 23 May 2015, at 10:00, Paolo Lucente <[email protected]> wrote: > > > > Hi Rob, > > > > To confirm that: what you are verifying is not the intended behaviour & > > what you describe as your understanding is the intended behaviour instead. > > > > It would help to know if you have prefixes as part of your aggregation; > > if yes, whether they are also zeroed out if not in the networks_file or > > not. Meanwhile two tests: > > > > * add 'nfacctd_net: fallback' to your config > > * make sure 'networks_file_filter: true' is not set in your config > > > > If none of this helps out, can you please post (here or privately) your > > config so that i can try to reproduce this in lab? > > > > Cheers, > > Paolo > > > > On Fri, May 22, 2015 at 09:09:30PM +0100, Rob Greenwood wrote: > >> Hi, > >> > >> We’ve got nfacctd running, collecting IPFIX data from a number of Juniper > >> MX routers and exporting it into ElasticSearch successfully. > >> > >> Our iBGP prefixes have their AS in the netflow data as AS0. I’m trying to > >> override this by placing our prefixes into a networks.lst, and specifying > >> the following config: > >> > >> networks_file: /opt/pmacct/etc/networks.lst > >> nfacctd_as_new: fallback > >> > >>> From reading the documentation, this should allow me to override prefix > >>> ASNs from within the networks.lst, but would then fall back to pulling > >>> the ASN from netflow if the prefix doesn’t exist in network.ls. > >> > >> However, the behaviour I’m seeing is that the ASN for my prefixes is being > >> set correctly, but now every other non-matching network is set to AS0. > >> > >> Is this intended behaviour? > >> > >> -Rob > >> > >> > >> -- > >> DataCentred Limited registered in England and Wales no. 05611763 > > > > > >> _______________________________________________ > >> pmacct-discussion mailing list > >> http://www.pmacct.net/#mailinglists > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > -- > DataCentred Limited registered in England and Wales no. 05611763 _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
