Working further on this, it seems that for pmacct is sufficient to filter traffic using only the pre_tag_filter, thus no need for the aggregation filters. The issue with this setup though is that I loose the information of the pre_nat source IP address when monitoring at the WAN interfaces. Due to this I am switching to uacctd as following:
! daemonize: true promisc: false uacctd_group: 1 !networks_file: networks.lst !ports_file: ports.lst ! pre_tag_map: pretag2.map pre_tag_filter[print_wan0_in]: 1 pre_tag_filter[print_wan0_out]: 2 pre_tag_filter[wan0_in]: 1 pre_tag_filter[wan0_out]: 2 ! plugins: print[print_wan0_in], print[print_wan0_out], mysql[wan0_in], mysql[wan0_out] plugin_pipe_size[wan0_in]: 1024000 plugin_pipe_size[wan0_out]: 1024000 print_refresh_time: 10 print_history: 15m print_output_file_append: true ! print_output[print_wan0_in]: csv print_output_file[print_wan0_in]: in_traffic.csv print_output[print_wan0_out]: csv print_output_file[print_wan0_out]: out_traffic.csv ! aggregate[print_wan0_in]: dst_host, src_port, dst_port, proto aggregate[print_wan0_out]: src_host, src_port, dst_port, proto ! sql_table[wan0_in]: traffic_wan0_in_%Y%m%d_%H%M sql_table[wan0_out]: traffic_wan0_out_%Y%m%d_%H%M ! sql_table_schema[wan0_in]: traffic_wan0_in.schema sql_table_schema[wan0_out]: traffic_wan0_out.schema ! sql_host: localhost sql_db : uacct sql_user : uacct sql_passwd: uacct sql_refresh_time: 30 sql_optimize_clauses: true sql_history : 24h sql_history_roundoff: mhd ! aggregate[wan0_in]: dst_host, src_port, dst_port, proto aggregate[wan0_out]: src_host, src_port, dst_port, proto Where pretag2.map: set_tag=1 filter='src net 192.168.28.0/24 or src net 192.168.100.0/24' set_tag=2 filter='dst net 192.168.28.0/24 or dst net 192.168.100.0/24' The issue I have with the above config is that no traffic is being collected at all. I confirm that when removing the pre_tag filters, traffic is collected, though it is not sorted per direction as I would like to have. Can I use pre_tag_map and pre_tag_filter with uacctd? I don't see any examples for uacctd at https://github.com/pmacct/pmacct/blob/master/examples/pretag.map.example. Thanx, Alex On Thu, Feb 20, 2020 at 6:33 PM Alex K <rightkickt...@gmail.com> wrote: > Hi all, > > I have a router with multiple interfaces and will need to account traffic > at its several WAN interfaces. My purpose is toaccount the traffic with the > tuple details and the direction. > > As a test I have compiled the following simple configuration for pmacctd: > > ! > daemonize: true > plugins: print[wan0_in], print[wan0_out] > print_refresh_time: 10 > print_history: 15m > ! > print_output[wan0_in]: csv > print_output_file[wan0_in]: in_traffic.csv > print_output[wan0_out]: csv > print_output_file[wan0_out]: out_traffic.csv > ! > aggregate[wan0_in]: src_host, dst_host, src_port, dst_port, tag > aggregate[wan0_out]: src_host, dst_host, src_port, dst_port, tag > ! > pre_tag_filter[wan0_in]:1 > pre_tag_filter[wan0_out]:2 > ! > pcap_interface: eth0 > pre_tag_map: pretag.map > networks_file: networks.lst > ports_file: ports.lst > ! > > where pretag.map is: > set_tag=1 filter='ether dst 52:54:00:69:a6:0b' > set_tag=2 filter='ether src 52:54:00:69:a6:0b' > > and networks.lst is: > 10.100.100.0/24 > > It seems that the details output at the CSV are correctly filtered > according to the tag, thus recording the direction also, based on the MAC > address of the WAN0 interface. > > Is this the correct approach to achieve this or is there any other > recommended way? Do I need to use aggregate_filters? > > Also, although I have set a network filter to capture only 10.100.100.0/24, > I observe several networks in/out being collected, indicating that the > network_file directive is ignored or I have misunderstood its purpose. My > purpose it to collect traffic only generated from subnets that belong to > configured interfaces of the router. > > Thanx for your feedback! > Alex > > >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
