Hi Mattias,

From what i read so far I believe the pesky bit here is that you are using
pmacctd (which is the libpcap-based daemon) rather than nfacctd (which is
the NetFlow collector daemon, which collects and analyses/dissects NetFlow
packets). 

Cheers,
Paolo


On Fri, Aug 19, 2016 at 12:37:39PM +0000, Mattias Larsson wrote:
> Hi Markus,
> 
> Not sure what you mean with that the server does NOT accept/process the
> packets due to it target to another MAC address.
> 
> I thought the pmacctd used the libpcap the same way that tcpdump does and
> analyses packets. But with tcpdump I have to use -vvv the all of the packet.
> 
> This is what I get when i'm writing to plain text-file.
> 
> SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,TOS,PACKETS,FLOWS,BYTES
> 192.168.1.1,172.16.0.100,52043,2055,udp,0,10,1,2416
> 
> 192.168.1.1 = router
> 172.16.0.100 = Netflow-server (not same server where I'm running pmacct on)
> 
> My server with pmacct has an interface (eth2) without any ip configurations
> connected to the same switch as the netflow-server. The server recieves all
> udp/2055 packets from the switch (SPAN)
> 
> Iptables are disabled on the server.
> 
> 
> /Mattias
> 
> 
> On Fri, Aug 19, 2016 at 1:00 PM Markus Weber <f...@uucp.de> wrote:
> 
> > Hi Matthias,
> >
> > could it be that your hosts does NOT accept/process the packets as those
> > are targeted to another MAC address? If you run wireshark/tcpdump the
> > interface to put into promiscuous mode to get them ...
> >
> > If all have the same dst mac just change your interface facing the SPAN
> > port to it.
> >
> >
> > Other than that: any host "firewall" rules active?
> >
> >
> > Markus
> >
> >
> > On 19.08.2016 11:21, Jentsch, Mario wrote:
> >
> > Hi Mattias,
> >
> >
> >
> > do you have a drawing of your setup? I have to admit that it is unclear to
> > me…
> >
> >
> >
> > Thanks,
> >
> > Mario
> >
> >
> >
> > *From:* pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net
> > <pmacct-discussion-boun...@pmacct.net>] *On Behalf Of *Mattias Larsson
> > *Sent:* Thursday, August 18, 2016 1:36 PM
> > *To:* pmacct-discussion@pmacct.net
> > *Subject:* [pmacct-discussion] Only packets from router to netflow server
> >
> >
> >
> >
> >
> > I use a SPAN port on my switch to capture all netflow (udp 2055) packets
> > and send it to a interface where my pmacct server has one extra interface
> > connected to.
> >
> >
> >
> > But when I look on the traffic/packets that pmacctd genereates it seems
> > only be the IP packets between my router and netflow server. It seems it
> > not decodes the cisco netflow payload/data.
> >
> >
> >
> > When I do a tcpdump on the interface and look at it with wireshark I can
> > see see the flows.
> >
> >
> >
> > Any suggestion what I'm doing wrong?
> >
> >
> >
> > Thanks in advance!
> >
> >
> > Mattias
> >
> >
> > _______________________________________________
> > pmacct-discussion mailing listhttp://www.pmacct.net/#mailinglists
> >
> >
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists

> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to