Hi Horst, This is expected because you use pmacctd, the libpcap-based daemon. Libpcap has the beauty of being portable but has the drawback to not have much insight into the underlying OS - hence interfaces are not populated. You may achieve that with uacctd, the ULOG-based daemon. An alternative would be to still use pmacctd and infer interfaces from the MAC address layer; you may then use a pre_tag_map (and the 'filter' keyword to build pcap filters) to assign tags to traffic basing on MAC addresses (and direction, ie. ingress/egress) or you may burn you some extra disk space and write MAC addresses as part of your accounting and post process your data.
Cheers, Paolo On Thu, Nov 05, 2015 at 10:12:21AM +0100, horst birne wrote: > Virtual Interfaces not appearing in in/out_iface?horst birne 03.11.2015 An: > [email protected],we are using pmacctd with the following > configuration: > syslog: daemonpromisc: trueinterface: eth2plugins: > print[plugin3]print_output_file[plugin3]: > /var/lib/pmacct/plugin2.jsonprint_output[plugin3]: > jsonprint_trigger_exec[plugin3]: > /etc/p2es/triggers/plugin3print_refresh_time[plugin3]: 2aggregate[plugin3]: > timestamp_start, src_host, src_port, dst_host, dst_port, proto, in_iface, > out_iface, src_mac, dst_mac, vlanto save the packets to an file in json and > trigger the shipping to a database called "elasticsearch" via an "extension" > called pmacct-to-elasticsearch. > On the host where pmacctd is running, are multiple virtual interfaces > configured on top of eth2:eth2 Link encap:Ethernet HWaddr > f0:1f:af:e5:94:1a inet addr:192.168.XX.XXX Bcast:192.168.XX.XXX > Mask:255.255.255.XXX > eth2.23 Link encap:Ethernet HWaddr f0:1f:af:e5:94:1a inet > addr:10.XX.XX.XXX Bcast:10.XX.XX.XXX Mask:255.255.255.XXXeth2.24 Link > encap:Ethernet HWaddr f0:1f:af:e5:94:1a inet addr:10.XX.XX.XXX > Bcast:10.XX.XX.XXX Mask:255.255.255.XXXeth2.25 Link encap:Ethernet HWaddr > f0:1f:af:e5:94:1a inet addr:10.XX.XX.XXX Bcast:10.XX.XX.XXX > Mask:255.255.255.XXXeth2.38 Link encap:Ethernet HWaddr f0:1f:af:e5:94:1a > inet addr:10.XX.XX.XXX Bcast:10.XX.XX.XXX > Mask:255.255.255.XXXeth2.41 Link encap:Ethernet HWaddr f0:1f:af:e5:94:1a > inet addr:10.XX.XX.XXX Bcast:10.XX.XX.XXX Mask:255.255.255.XXX > The logged packets contains this information:{"timestamp_start": "2015-11-03 > 14:40:46.878433", "ip_proto": "tcp", "ip_dst": "10.XX.XX.XXX", "mac_src": > "f0:1f:af:e5:94:1a", "iface_out": 0, "mac_dst": "08:00:27:bd:5d:fe", > "ip_src": "10.XX.XX.XXX", "vlan": 25, "iface_in": 0, "packets": 1, > "port_src": 22, "bytes": 216, "port_dst": 54177} > As you might notice the in_iface and out_iface only display a value of 0, > regardless of the used interfaces. > I also tried disabling promiscous mode and set up multiple instances for each > virtual interface: > promisc: falseinterface: eth2.38 > Unfortunately this didnt work either. > You guys got any idea how to make this work?Thank you for any advice!Best > regards,Horst > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
