Hi Paolo, I was curious if you received and have had a chance to look at the pcap you requested. I am still struggling to set up this netflow accounting for my routers. Thanks!
--Sean On Mon, Mar 15, 2021 at 11:51 AM Sean <smalde...@gmail.com> wrote: > > Thanks for taking a look. I have sent the attachments directly to you. > > --Sean > > On Sun, Mar 14, 2021 at 11:16 AM Paolo Lucente <pa...@pmacct.net> wrote: > > > > > > Hi Sean, > > > > It smells like a bug. May i ask you to send me a brief capture of some > > of these ESP packets by unicast email? It would allow me to reproduce > > the issue. You can do that with tcpdump, in case you are not familiar > > with it something a-la "tcpdump -i <interface> -s 0 -n -w <output file> > > esp" should do it; then press CTRL+C to exit and make sure the file has > > a positive size. > > > > Paolo > > > > On 12/03/2021 19:04, Sean wrote: > > > Hi all, > > > > > > I just joined the list, and just started tinkering at pmacct. The gist > > > of what I'm trying to do is generate netflow data on two linux servers > > > acting as routers with Free Range Routing (FRR) software. The routers > > > are mostly passing IPSEC tunnels, I want to use the netflow data to > > > track bandwidth utilization for each tunnel. > > > > > > I notice when I use the print plugin on the router(s) that I can see > > > flows for ESP - > > > SRC_IP DST_IP SRC_PORT DST_PORT > > > PROTOCOL TOS PACKETS BYTES > > > 192.168.192.100 192.168.0.100 0 0 > > > esp 0 44 25696 > > > 192.168.0.100 192.168.192.100 0 0 > > > esp 0 22 12848 > > > > > > For the running pmacct configuration, I use the nfprobe plugin and > > > send to a remote netflow receiver. The trouble is that on the > > > receiver, I am only seeing flows for protoid 17, which is just UDP. > > > Would anyone here have an idea what I need to do to get nfprobe to > > > send the ESP flows to my receiver? > > > > > > My config - > > > daemonize: true > > > debug: true > > > syslog: daemon > > > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > > > plugins: nfprobe > > > nfprobe_receiver: 192.168.192.10:9995 > > > nfprobe_version: 10 > > > nfprobe_source_ip: 192.168.192.2 > > > > > > > > > --Sean > > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
