Hi Ruben,
Indeed, very strange. And i could easily reproduce the issue on a Linux
VM. To be frank i was not even aware of the existence of such inbound vs
outbount knob, very convenient indeed. I suspect this is something new
that good old bpf_filter() - which accepts filtering instructions,
packet pointer, total length and capture length only - can't help with.
I see, for example, in newer libpcap versions there is a new function
called bpf_filter_with_aux_data(); i may be wrong, i didn't go super
deep in the examination, but i would not be surprised that one would
need to implement that in order to make these inbound / outbound knobs work.
Would you ask me how would i do it on an ethernet link? Probably i would
resort to the known MAC address of your enp1s0 interface. What is
destined to it is inbound, what is originated by it is outbound. Old
school, probably needing some good thinking in order to deploy it at
scale but, probably working OK in a home environment.
Paolo
On 20/4/22 18:04, Ruben wrote:
Hi,
I'm trying to get pmacctd to perform traffic accounting on my home
router that's based on a debian machine.
I'm running the following configuration:
debug: false
daemonize: true
pidfile: /var/run/pmacctd.pid
! syslog: daemon
logfile: /var/log/pmacctd.ppp0.log
plugin_pipe_size: 10240000
plugin_buffer_size: 10240
plugins: print[print]
pcap_interface: ppp0
pcap_interface_wait: true
pre_tag_map: /etc/pmacct/pre_tag.ppp0.map
networks_file: /etc/pmacct/networks.map
networks_no_mask_if_zero: false
pmacctd_net: file
! pmacctd_net[print]: file
pmacctd_as: file
! pmacctd_as[print]: file
aggregate[print]: etype, proto, src_as, dst_as, src_host, dst_host, label
print_output_file[print]: /etc/pmacct/print_dump.ppp0.json
print_output[print]: json
print_history[print]: 1m
print_history_roundoff[print]: m
print_refresh_time[print]: 60
print_trigger_exec[print]: /etc/pmacct/postit.ppp0.sh
Within my pre_tag.ppp0.map file i have:
set_label=ppp0_in filter='inbound'
set_label=ppp0_out filter='outbound'
This works correctly and my labels end up with ppp0_in and ppp0_out.
The issue i'm facing is that when i replace every ppp0 occurrence with
enp1s0, that the labels do /not/ get set.
The only difference i've seen between these configs seems to be the
'link type' which for ppp0 is 113 and for the enp1s0 is 1.
Is there something i'm missing here?
Is there a better way to correctly identify inbound vs outbound traffic?
tcpdump -i enp1s0 inbound works the same as tcpdump -i enp1s0 -Q in
Kind regards,
Ruben
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
