Hi Tamas,
>From your outputs definitely looks everything is in order. I wonder
though, since you use the IMT plugin, if those entries are created
before the BGP session is successfully established. Any chance, keeping
things simple and for the sake of a test, you can try the same with the
print plugin writing to flat file(s)? Failing that, i'd be glad to have
a look at the issue myself if SSH access to the box is possible (in
which case we can follow-up by unicast email).
Paolo
On Wed, Nov 08, 2017 at 12:33:32PM +0100, Varga Tamas wrote:
> Hi Paolo,
>
> I have some problems getting info from bgp tables merged with netflow
> data. Unfortunately, after going through the wiki/faq/mailling-list I
> still can't figure out what is the missing piece from the config files
> in order to get these feature working.
>
> I have checked the following things based on suggestions found on the
> mailing list:
> - Bgp peer ip == netflow agent IP
> - bgp_agent_map
> - Dump bgp tables fetched from the bgp peer
> - Use "bgp" for (pmacctd|nfacctd)_net/as
> - Verified bgp peering and netflow
>
> Thanks,
>
> Tamas
>
> Relevant debug/config info
>
> ### nfacctd.conf
> !BGP
> bgp_daemon: true
> bmp_daemon: true
> bgp_daemon_ip: 216.172.X.X
> bgp_daemon_id: 216.172.X.x
> bgp_peer_as_skip_subas: true
> bgp_daemon_max_peers: 20
> bgp_table_dump_file: /tmp/bgp-$peer_src_ip-%H%M.log
> bgp_table_dump_refresh_time: 3600
> bgp_follow_default: 2
> bgp_agent_map: bgp_agents
> nfacctd_as: bgp
> pmacctd_as: bgp
> nfacctd_net: bgp
> pmacctd_net: bgp
> bgp_aspath_radius: 3
> nfacctd_as_new: bgp
> bgp_peer_src_as_type: bgp
> aggregate[mem]: src_host, dst_host, src_port, dst_port, proto, tag,
> src_host_country, dst_host_country, src_host_pocode, dst_host_pocode,
> src_as, dst_as, med, as_path
>
> ### bgp_agents
> /etc/pmacct# cat bgp_agents
> bgp_ip=5.159.218.5 ip=5.159.218.5
>
> ###Netflow agent
> DEBUG ( default/core ): NfV9 agent : 5.159.218.5:2097
> DEBUG ( default/core ): NfV9 template type : flow
> DEBUG ( default/core ): NfV9 template ID : 260
> DEBUG ( default/core ):
> -------------------------------------------------------------
> DEBUG ( default/core ): | pen | field type |
> offset | size |
> DEBUG ( default/core ): | 0 | in packets [2 ] |
> 0 | 4 |
> DEBUG ( default/core ): | 0 | in bytes [1 ] |
> 4 | 4 |
> DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] |
> 8 | 4 |
> DEBUG ( default/core ): | 0 | IPv4 dst addr [12 ] |
> 12 | 4 |
> DEBUG ( default/core ): | 0 | input snmp [10 ] |
> 16 | 4 |
> DEBUG ( default/core ): | 0 | output snmp [14 ] |
> 20 | 4 |
> DEBUG ( default/core ): | 0 | last switched [21 ] |
> 24 | 4 |
> DEBUG ( default/core ): | 0 | first switched [22 ] |
> 28 | 4 |
> DEBUG ( default/core ): | 0 | L4 src port [7 ] |
> 32 | 2 |
> DEBUG ( default/core ): | 0 | L4 dst port [11 ] |
> 34 | 2 |
> DEBUG ( default/core ): | 0 | src as [16 ] |
> 36 | 4 |
> DEBUG ( default/core ): | 0 | dst as [17 ] |
> 40 | 4 |
> DEBUG ( default/core ): | 0 | BGP IPv4 next hop [18 ] |
> 44 | 4 |
> DEBUG ( default/core ): | 0 | IPv4 src mask [9 ] |
> 48 | 1 |
> DEBUG ( default/core ): | 0 | IPv4 dst mask [13 ] |
> 49 | 1 |
> DEBUG ( default/core ): | 0 | L4 protocol [4 ] |
> 50 | 1 |
> DEBUG ( default/core ): | 0 | tcp flags [6 ] |
> 51 | 1 |
> DEBUG ( default/core ): | 0 | tos [5 ] |
> 52 | 1 |
> DEBUG ( default/core ): | 0 | direction [61 ] |
> 53 | 1 |
> DEBUG ( default/core ): | 0 | forwarding status [89 ] |
> 54 | 1 |
> DEBUG ( default/core ): | 0 | sampler ID [48 ] |
> 55 | 2 |
> DEBUG ( default/core ): | 0 | 234 [234 ] |
> 57 | 4 |
> DEBUG ( default/core ): | 0 | 235 [235 ] |
> 61 | 4 |
> DEBUG ( default/core ):
> -------------------------------------------------------------
> DEBUG ( default/core ): Netflow V9/IPFIX record size : 65
>
> ### BGP peer
> INFO ( default/core/BGP ): [5.159.218.5] BGP peers usage: 1/50
> INFO ( default/core/BGP ): [5.159.218.5] Capability: MultiProtocol [1]
> AFI [1] SAFI [1]
> INFO ( default/core/BGP ): [5.159.218.5] Capability: 4-bytes AS [41] ASN
> [34655]
> INFO ( default/core/BGP ): [5.159.218.5] BGP_OPEN: Local AS: 34655
> Remote AS: 34655 HoldTime: 180
> DEBUG ( default/core/BGP ): [5.159.218.5] BGP_KEEPALIVE received
> DEBUG ( default/core/BGP ): [5.159.218.5] BGP_KEEPALIVE sent
>
> ### pmacct
> /etc/pmacct# pmacct -s -T flows,5 -c dst_host_country
> TAG SRC_AS DST_AS AS_PATH MED
> SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL
> SH_COUNTRY DH_COUNTRY SH_POCODE DH_POCODE PACKETS
> BYTES
> 0 0 0 ^$ 0
> 109.71.162.32 178.187.170.198 1935 4010 tcp LU
> RU 659300 2
> 2904
> 0 0 0 ^$ 0
> 46.188.106.58 93.93.53.199 62090 80 tcp RU
> LU 101194 1
> 40
> 0 0 0 ^$ 0
> 185.13.90.86 85.29.74.98 443 49498 tcp LU
> FI 74130 98
> 124015
> 0 0 0 ^$ 0
> 93.93.51.195 5.228.17.199 80 48324 tcp LU
> RU 101194 1
> 1280
> 0 0 0 ^$ 0
> 109.71.161.146 2.86.239.153 443 58337 tcp LU
> GR 1
> 1400
>
> ### Example
>
> Json output from bgp dump
> {"timestamp": "2017-11-02 08:41:00", "peer_ip_src": "5.159.218.5",
> "event_type": "dump", "afi": 1, "safi": 1, "ip_prefix":
> "85.29.64.0/18", "bgp_nexthop": "80.81.192.144", "as_path": "6667
> 13170", "comms": "6667:900 6667:1000 6667:2000 6667:3000 6667:4002
> 34655:2 34655:40 34655:401 34655:2002 34655:4010", "origin": 0,
> "local_pref": 110, "med": 206}
>
> pmacct output
> 0 0 0 ^$ 0
> 185.13.90.86 85.29.74.98 443 49498 tcp LU
> FI 74130 98
> 124015
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
