Hi Paolo,

On Sat, Feb 22, 2020 at 4:18 PM Paolo Lucente <pa...@pmacct.net> wrote:

>
> Hi Alex,
>
> Is it possible with the new setup - the one where pre_tag_map does not
> match anything - the traffic is VLAN-tagged (or MPLS-labelled)? If so,
> you should adjust filters accordingly and add 'vlan and', ie. "vlan and
> src net 192.168.28.0/24 or vlan and src net 192.168.100.0/24".
>
The traffic is not VLAN or MPLS. It is simple one. I confirm I can collect
traffic when removing the pretag directives. Also when stopping uacctd, I
can capture traffic at nflog:1 interface.
I simplified the configuration as below:

!
daemonize: true
promisc:   false
uacctd_group: 1
!
pre_tag_map: pretag2.map
pre_tag_filter[print_wan0_in]: 1
pre_tag_filter[print_wan0_out]: 2
!
!-------------------------------------------------
plugins: print[print_wan0_in], print[print_wan0_out]
print_refresh_time: 10
print_history: 15m
print_output_file_append: true
!
print_output[print_wan0_in]: csv
print_output[print_wan0_out]: csv
print_output_file[print_wan0_in]: traffic-wan0-in.csv
print_output_file[print_wan0_out]: traffic-wan0-out.csv
!
aggregate[print_wan0_in]: tag, src_host, dst_host, src_port, dst_port, proto
aggregate[print_wan0_out]: tag, src_host, dst_host, src_port, dst_port,
proto
!

with pretag2.map
set_tag=1 filter='src net 192.168.28.0/24'
set_tag=2 filter='dst net 192.168.28.0/24'

As soon as I enable the pretag directives as below, I do not see any
traffic being collected from uacctd at NFLOG goup 1

pre_tag_map: pretag2.map
pre_tag_filter[print_wan0_in]: 1
pre_tag_filter[print_wan0_out]: 2

I am running pmacct 1.7.4.


> Paolo
>
> On Fri, Feb 21, 2020 at 01:04:25PM +0200, Alex K wrote:
> > Working further on this, it seems that for pmacct is sufficient to filter
> > traffic using only the pre_tag_filter, thus no need for the aggregation
> > filters.
> > The issue with this setup though is that I loose the information of the
> > pre_nat source IP address when monitoring at the WAN interfaces. Due to
> > this I am switching to uacctd as following:
> >
> > !
> > daemonize: true
> > promisc:   false
> > uacctd_group: 1
> > !networks_file: networks.lst
> > !ports_file: ports.lst
> > !
> > pre_tag_map: pretag2.map
> > pre_tag_filter[print_wan0_in]: 1
> > pre_tag_filter[print_wan0_out]: 2
> > pre_tag_filter[wan0_in]: 1
> > pre_tag_filter[wan0_out]: 2
> > !
> > plugins: print[print_wan0_in], print[print_wan0_out], mysql[wan0_in],
> > mysql[wan0_out]
> > plugin_pipe_size[wan0_in]: 1024000
> > plugin_pipe_size[wan0_out]: 1024000
> > print_refresh_time: 10
> > print_history: 15m
> > print_output_file_append: true
> > !
> > print_output[print_wan0_in]: csv
> > print_output_file[print_wan0_in]: in_traffic.csv
> > print_output[print_wan0_out]: csv
> > print_output_file[print_wan0_out]: out_traffic.csv
> > !
> > aggregate[print_wan0_in]: dst_host, src_port, dst_port, proto
> > aggregate[print_wan0_out]: src_host, src_port, dst_port, proto
> > !
> > sql_table[wan0_in]: traffic_wan0_in_%Y%m%d_%H%M
> > sql_table[wan0_out]: traffic_wan0_out_%Y%m%d_%H%M
> > !
> > sql_table_schema[wan0_in]: traffic_wan0_in.schema
> > sql_table_schema[wan0_out]: traffic_wan0_out.schema
> > !
> > sql_host: localhost
> > sql_db : uacct
> > sql_user : uacct
> > sql_passwd: uacct
> > sql_refresh_time: 30
> > sql_optimize_clauses: true
> > sql_history : 24h
> > sql_history_roundoff: mhd
> > !
> > aggregate[wan0_in]: dst_host, src_port, dst_port, proto
> > aggregate[wan0_out]: src_host, src_port, dst_port, proto
> >
> > Where pretag2.map:
> > set_tag=1 filter='src net 192.168.28.0/24 or src net 192.168.100.0/24'
> > set_tag=2 filter='dst net 192.168.28.0/24 or dst net 192.168.100.0/24'
> >
> > The issue I have with the above config is that no traffic is being
> > collected at all. I confirm that when removing the pre_tag filters,
> traffic
> > is collected, though it is not sorted per direction as I would like to
> > have.
> > Can I use pre_tag_map and pre_tag_filter with uacctd? I don't see any
> > examples for uacctd at
> > https://github.com/pmacct/pmacct/blob/master/examples/pretag.map.example
> .
> >
> > Thanx,
> > Alex
> >
> > On Thu, Feb 20, 2020 at 6:33 PM Alex K <rightkickt...@gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > I have a router with multiple interfaces and will need to account
> traffic
> > > at its several WAN interfaces. My purpose is toaccount the traffic
> with the
> > > tuple details and the direction.
> > >
> > > As a test I have compiled the following simple configuration for
> pmacctd:
> > >
> > > !
> > > daemonize: true
> > > plugins: print[wan0_in], print[wan0_out]
> > > print_refresh_time: 10
> > > print_history: 15m
> > > !
> > > print_output[wan0_in]: csv
> > > print_output_file[wan0_in]: in_traffic.csv
> > > print_output[wan0_out]: csv
> > > print_output_file[wan0_out]: out_traffic.csv
> > > !
> > > aggregate[wan0_in]: src_host, dst_host, src_port, dst_port, tag
> > > aggregate[wan0_out]: src_host, dst_host, src_port, dst_port, tag
> > > !
> > > pre_tag_filter[wan0_in]:1
> > > pre_tag_filter[wan0_out]:2
> > > !
> > > pcap_interface: eth0
> > > pre_tag_map: pretag.map
> > > networks_file: networks.lst
> > > ports_file: ports.lst
> > > !
> > >
> > > where pretag.map is:
> > > set_tag=1 filter='ether dst 52:54:00:69:a6:0b'
> > > set_tag=2 filter='ether src 52:54:00:69:a6:0b'
> > >
> > > and networks.lst is:
> > > 10.100.100.0/24
> > >
> > > It seems that the details output at the CSV are correctly filtered
> > > according to the tag, thus recording the direction also, based on the
> MAC
> > > address of the WAN0 interface.
> > >
> > > Is this the correct approach to achieve this or is there any other
> > > recommended way? Do I need to use aggregate_filters?
> > >
> > > Also, although I have set a network filter to capture only
> 10.100.100.0/24,
> > > I observe several networks in/out being collected, indicating that the
> > > network_file directive is ignored or I have misunderstood its purpose.
> My
> > > purpose it to collect traffic only generated from subnets that belong
> to
> > > configured interfaces of the router.
> > >
> > > Thanx for your feedback!
> > > Alex
> > >
> > >
> > >
>
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to