Re: [pmacct-discussion] Pcap file input & Netflow basic doubts

Fri, 10 Aug 2018 12:07:55 -0700 

Looked at the CONFIG-KEYS doc and there were options for pcap files, So, I
tried with
"
pcap_savefile: temp.pcap
savefile_wait: true
"

But the pmacctd is reading only once, even though the file is updated with
new packets, I'm not able to see new data on pmacct side.




On Sat, Aug 11, 2018 at 12:15 AM, RAJESH KUMAR S.R <[email protected]>
wrote:

> Hi,
>
> I'm new to pmacct.
> I need few clarifications regarding this tool
>
> I have a doubt regarding using a pcap file as input to pmacct
> I'm trying to give a pcap file as input that gets updated continuosly.
>
> "sudo pmacctd -D -P print -r 30 -I temp.pcap  -c etype,src_host,dst_host"
>
>
> The pmacctd tool exits after diplaying a list of flows.
> $   sudo pmacctd -P print -r 30 -I temp.pcap  -c etype,src_host,dst_host
> .......
> 800    172.24.1.186
> 224.0.0.251                                    1                     69
> INFO ( default_print/print ): *** Purging cache - END (PID: 12988, QN:
> 272/272, ET: 0) ***
> INFO ( default/core ): OK, Exiting ...
>
> But, the file is updated continuosly. Is there any configuration to read
> from the file continuosly.
> Also, Is it possible to provide pcap input in .conf file, I used "
> pcap_interface: file_path" , but it is not working.
>
>
> Another doubt is regarding Netflow export,
> I used pmacctd with following configuration
>
> "
>    daemonize:false
>    pcap_interface:eth0
>    aggregate: src_host, dst_host, src_port, dst_port, proto, tos, class
>    plugins: nfprobe, print
>    nfprobe_receiver: 127.0.0.1:2100
>    nfprobe_version: 9
> "
> and nfacctd with this configuration.
> "
>   daemonize: false
>    nfacctd_ip: 127.0.0.1
>    nfacctd_port: 2100
>    plugins: memory[display], print
>    aggregate: src_host, dst_host, src_port, dst_port, proto, tos
> "
>
> nfacctd is displaying the data but most of the time exact match is not
> there between the printed data i'm seeing in pmacctd and nfacctd.
> Also, the nfacctd doesn't start collecting immediately, it takes some time
> for getting printed output in nfacctd side whereas pmacctd continuosly
> prints aggregated data.
>
> I'm not sure where I'm going wrong.
>
>

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to