Re: [pmacct-discussion] nfprobe vs. print plugin with ESP flows

Wed, 14 Apr 2021 05:38:27 -0700 


Hi Sean,


I must admit this email thread went 'Read' in my email client and i lost 
track of it. Please allow me a bit of time this week to get through it. 
Apologies for the inconvenience.


Paolo

On 13/04/2021 16:41, Sean wrote:

Hi Paolo,

I was curious if you received and have had a chance to look at the
pcap you requested.  I am still struggling to set up this netflow
accounting for my routers.  Thanks!

--Sean

On Mon, Mar 15, 2021 at 11:51 AM Sean <smalde...@gmail.com> wrote:


Thanks for taking a look.  I have sent the attachments directly to you.

--Sean

On Sun, Mar 14, 2021 at 11:16 AM Paolo Lucente <pa...@pmacct.net> wrote:



Hi Sean,

It smells like a bug. May i ask you to send me a brief capture of some
of these ESP packets by unicast email? It would allow me to reproduce
the issue. You can do that with tcpdump, in case you are not familiar
with it something a-la "tcpdump -i <interface> -s 0 -n -w <output file>
esp" should do it; then press CTRL+C to exit and make sure the file has
a positive size.

Paolo

On 12/03/2021 19:04, Sean wrote:

Hi all,

I just joined the list, and just started tinkering at pmacct. The gist
of what I'm trying to do is generate netflow data on two linux servers
acting as routers with Free Range Routing (FRR) software.  The routers
are mostly passing IPSEC tunnels, I want to use the netflow data to
track bandwidth utilization for each tunnel.

I notice when I use the print plugin on the router(s) that I can see
flows for ESP -
SRC_IP                   DST_IP                SRC_PORT  DST_PORT
PROTOCOL  TOS  PACKETS        BYTES
192.168.192.100     192.168.0.100      0                    0
           esp                 0        44                   25696
192.168.0.100         192.168.192.100  0                    0
           esp                 0        22                   12848

For the running pmacct configuration, I use the nfprobe plugin and
send to a remote netflow receiver.  The trouble is that on the
receiver, I am only seeing flows for protoid 17, which is just UDP.
Would anyone here have an idea what I need to do to get nfprobe to
send the ESP flows to my receiver?

My config -
daemonize: true
debug: true
syslog: daemon
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe
nfprobe_receiver: 192.168.192.10:9995
nfprobe_version: 10
nfprobe_source_ip: 192.168.192.2


--Sean

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists





_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists




_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists






















					Reply via email to