Hi Paolo,
thank you so much for your offer!
Following up to this via private email.
Thanks
Klaus
On 15.01.24 15:15, Paolo Lucente wrote:
>
> Hi Klaus,
>
> Having a description of your environment, i take back the suggestion to
> look for uacctd. Since traffic is mirrored to an interface, all you are
> probably get from uacctd is the input interface populated with such
> interface -- not what you want, i guess. The collector box is not
> routing / switching packets around so pmacctd is still the prime choice.
>
> This said: 1.7.6 is a pretty old release, if you could upgrade to 1.7.8
> or give a try to master code on GitHub, we can see whether the first
> issue (all is mapped to VLAN 10) goes away; alternatively you could send
> me a brief pcap with a mix of the traffic and i can try to run pmacctd
> against it with the excerpt of the pre_tag_map that you originally
> posted. As a further alternative you could also experiment at your end,
> if you wish, you could expose "tag, tag2" on the "aggregate", ie.
> "tag,tag2,src_host,dst_host,src_port,dst_port,proto,sampling_rate,vlan"
> so to visualize what is going on with the map.
>
> Finally, let me say again that the case of populating both input and
> output interfaces given a VLAN is not supported; given the direction
> that you express, ie. ingress or egress, you will be currently able to
> populate only input or output interface.
>
> Paolo
>
>
> On 15/1/24 11:33, Klaus Conrad wrote:
>> Hello again,
>>
>> I think I managed to get the iptables part working by using nftables:
>>
>> $ cat /etc/nftables.conf
>> ------------
>> #!/usr/sbin/nft -f
>>
>> flush ruleset
>>
>> table netdev test {
>> chain testchain {
>> type filter hook ingress device ens224 priority 0;
>> log group 5
>> }
>> }
>> ....
>> ------------
>>
>> At least I see traffic using:
>>
>> $ sudo tcpdump -i nflog:5
>>
>>
>> However, when I start uacctd as follows:
>>
>> $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
>>
>> It does not write a log file.
>>
>> Also, it sometimes fails to start up with one of the following error
>> messages:
>>
>> - ERROR ( default/core ): Failed to set threshold to 1
>> - ERROR ( default/core ): Failed to set receive buffer size to 131072
>>
>> When it manages to start up, it produces output like the following:
>>
>>> $ sudo uacctd -P print -o /tmp/test.log -M -O json -g 5 -d -L 1500
>>> DEBUG: [cmdline] plugin name/type: 'default'/'core'.
>>> DEBUG: [cmdline] plugin name/type: 'default_print'/'print'.
>>> DEBUG: [cmdline] print_output_file:/tmp/test.log
>>> DEBUG: [cmdline] print_markers:true
>>> DEBUG: [cmdline] print_output:json
>>> DEBUG: [cmdline] uacctd_group:5
>>> DEBUG: [cmdline] debug:true
>>> DEBUG: [cmdline] snaplen:1500
>>> INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd
>>> (RELEASE)
>>> INFO ( default/core ): '--build=x86_64-linux-gnu' '--prefix=/usr'
>>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
>>> '--disable-option-checking' '--disable-silent-rules'
>>> '--libdir=${prefix}/lib/x86_64-linux-gnu'
>>> '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
>>> '--disable-dependency-tracking'
>>> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2'
>>> '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql'
>>> '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka'
>>> '--enable-geoipv2' '--enable-jansson' '--enable-64bit' '--enable-threads'
>>> '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
>>> '--enable-st-bins' '--enable-nflog' 'build_alias=x86_64-linux-gnu'
>>> 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-Wdate-time
>>> -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
>>> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
>>> -fstack-protector-strong -Wformat -Werror=format-security'
>>> INFO ( default/core ): Reading configuration from cmdline.
>>> WARN ( default_print/print ): defaulting to SRC HOST aggregation.
>>> INFO ( default_print/print ): plugin_pipe_size=4096000 bytes
>>> plugin_buffer_size=344 bytes
>>> INFO ( default_print/print ): ctrl channel: obtained=212992 bytes
>>> target=95248 bytes
>>> INFO ( default_print/print ): cache entries=16411 base cache
>>> memory=66431728 bytes
>>> INFO ( default/core ): Successfully connected Netlink NFLOG socket
>>> INFO ( default_print/print ): JSON: setting object handlers.
>>> ^CINFO ( default_print/print ): *** Purging cache - START (PID: 2811834) ***
>>> INFO ( default_print/print ): *** Purging cache - END (PID: 2811834, QN:
>>> 0/0, ET: X) ***
>>> WARN ( default_print/print ): Failed during write: Connection refused
>>> INFO ( default/core ): OK, Exiting ...
>>
>>
>> In strace, I can see that uacctd receives data. Using nfprobe plugin
>> also does not result in uacct sending Netflow data.
>>
>>
>> Thanks again.
>>
>> Klaus
>>
>> On 15.01.24 09:49, Klaus Conrad wrote:
>>> Hi Paolo,
>>>
>>> thanks a lot for taking the time to respond!
>>>
>>> I'm using pmacctd 1.7.6:
>>>
>>> ---------------------
>>> $ pmacctd -V
>>> Promiscuous Mode Accounting Daemon, pmacctd 1.7.6-git [RELEASE]
>>>
>>> Arguments:
>>> '--build=x86_64-linux-gnu' '--prefix=/usr'
>>> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>>> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
>>> '--localstatedir=/var' '--disable-option-checking'
>>> '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu'
>>> '--libexecdir=${prefix}/lib/x86_64-linux-gnu'
>>> '--disable-maintainer-mode' '--disable-dependency-tracking'
>>> '--with-pgsql-includes=/usr/include/postgresql' '--enable-l2'
>>> '--enable-ipv6' '--enable-plabel' '--enable-mysql' '--enable-pgsql'
>>> '--enable-sqlite3' '--enable-rabbitmq' '--enable-zmq' '--enable-kafka'
>>> '--enable-geoipv2' '--enable-jansson' '--enable-64bit'
>>> '--enable-threads' '--enable-traffic-bins' '--enable-bgp-bins'
>>> '--enable-bmp-bins' '--enable-st-bins' '--enable-nflog'
>>> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-fcommon' 'LDFLAGS=-Wl,-z,relro'
>>> 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
>>> -ffile-prefix-map=/build/pmacct-UhNuxu/pmacct-1.7.6=.
>>> -fstack-protector-strong -Wformat -Werror=format-security'
>>>
>>> Libs:
>>> cdada 0.3.2
>>> libpcap version 1.10.0 (with TPACKET_V3)
>>> MariaDB 10.5.8
>>> PostgreSQL 130013
>>> sqlite3 3.34.1
>>> rabbimq-c 0.10.0
>>> rdkafka 1.6.0
>>> jansson 2.13.1
>>> MaxmindDB 1.5.2
>>> ZeroMQ 4.3.4
>>> netfilter_log
>>>
>>> System:
>>> Linux 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
>>>
>>> Compiler:
>>> gcc 10.2.1
>>>
>>> For suggestions, critics, bugs, contact me: Paolo Lucente
>>> <pa...@pmacct.net>.
>>> ---------------------
>>>
>>> It's a Debian 11 system, and I'm using the pmacct version that comes
>>> with Debian 11.
>>>
>>>
>>> To further describe our setup: we're mirroring all traffic from our
>>> routers to a Linux VM (the pmacctd system) and I'd like to capture it
>>> there and transform it into Netflow v9.
>>>
>>> Unfortunately I do not quite understand the basics behind how InputInt
>>> and OutputInt are supposed to be populated; basically we have the
>>> following requirement:
>>>
>>> InputInt and OutputInt should be populated as if the Netflow was
>>> directly being created directly on our routers, so basically it should
>>> be based on the VLAN tag or populated automatically (if that is possible).
>>>
>>>
>>> I tried setting up uacctd but I'm currently struggling with capturing
>>> the traffic with iptables; I did the following:
>>>
>>> - sudo apt install iptables
>>> - sudo iptables -i ens224 -t raw -I PREROUTING -j NFLOG --nflog-group 5
>>>
>>> However, this does not seem to match any packets:
>>>
>>> - sudo iptables -L -v -n -t raw
>>>> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>>>> pkts bytes target prot opt in out source
>>>> destination
>>>> 0 0 NFLOG all -- ens224 * 0.0.0.0/0
>>>> 0.0.0.0/0 nflog-group 5
>>>>
>>>> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>>>> pkts bytes target prot opt in out source
>>>> destination
>>>
>>>
>>> I'm sorry, I realize that this is probably outside the scope of the
>>> uacctd / pmacctd discussion but maybe someone can point me into the
>>> right direction?
>>>
>>> Thanks again
>>>
>>> Klaus
>>>
>>> On 14.01.24 16:47, Paolo Lucente wrote:
>>>>
>>>> Hi Klaus,
>>>>
>>>> Can you confirm what version of pmacct are you using? A 'pmacctd -V'
>>>> would do.
>>>>
>>>> I would like essentially to confirm that, for the first issue you are
>>>> hitting, you are running either 1.7.8 or a recent code that includes
>>>> this patch from Dec 15th:
>>>> https://github.com/pmacct/pmacct/commit/547e24171b0da2775ad35aeb2997d586003cb674
>>>> .
>>>>
>>>> For the second issue you mention, ie. setting both input and output
>>>> interface given a direction, let me confirm that the current mechanism
>>>> does not support that -- the use case has been so far using src/dst IP
>>>> address/prefix or src/dst MAC address to determine direction, and given
>>>> that, set input OR output interface but not both.
>>>>
>>>> You could use ULOG / uacctd, which should already return you both
>>>> interfaces, just an idea if you are running Linux, it seems the system
>>>> you are monitoring is passing traffic through. Otherwise to use the
>>>> tagging mechanism, some dev would be required.
>>>>
>>>> Paolo
>>>>
>>>>
>>>> On 11/1/24 11:11, Klaus Conrad wrote:
>>>>> Hello everybody,
>>>>>
>>>>> I'm currently struggling with properly setting up pmacct for the follow
>>>>> scenario:
>>>>>
>>>>> I need InputInt and OutputInt as well as Direction to be set in the
>>>>> generated Netflow.
>>>>>
>>>>> By default, InputInt/OutputInt are set to 0.
>>>>>
>>>>> The traffic I'm capturing is VLAN tagged.
>>>>>
>>>>> Now I want to set InputInt and OutputInt and Direction depending on the
>>>>> VLAN tag of the captured traffic.
>>>>>
>>>>> My pretag.map looks like this:
>>>>>
>>>>> set_tag=2 vlan=10 jeq=eval_ifindexes
>>>>> set_tag=1 vlan=11 jeq=eval_ifindexes
>>>>> set_tag=2 vlan=20 jeq=eval_ifindexes
>>>>> set_tag=1 vlan=21 jeq=eval_ifindexes
>>>>> ...
>>>>> set_tag=999 filter='net 0.0.0.0/0'
>>>>>
>>>>>
>>>>> set_tag2=62 vlan=10 label=eval_ifindexes
>>>>> set_tag2=62 vlan=11
>>>>> set_tag2=60 vlan=20
>>>>> set_tag2=60 vlan=21
>>>>> ...
>>>>> set_tag2=52 filter='net 0.0.0.0/0'
>>>>>
>>>>>
>>>>>
>>>>> My pmacct.conf looks like this:
>>>>>
>>>>> ...
>>>>> aggregate: src_host,dst_host,src_port,dst_port,proto,sampling_rate,vlan
>>>>> nfprobe_ifindex_override[prod]: true
>>>>> nfprobe_direction[prod]: tag
>>>>> nfprobe_ifindex[prod]: tag2
>>>>> pre_tag_map: /etc/pmacct/pretag.map
>>>>>
>>>>>
>>>>> The problem I'm facing is as follows:
>>>>>
>>>>> It appears that the first set_tag and set_tag2 rules always apply. So
>>>>> all flows are tagged as "egress" and OutputInt is always set to 62,
>>>>> regardless of the vlan tag of the captured traffic.
>>>>>
>>>>>
>>>>> Also I do not understand how I could set both InputInt and OutputInt to
>>>>> a non-zero value.
>>>>>
>>>>> Thanks a lot in advance for any insight you can provide!
>>>>>
>>>>> Klaus
>>>>>
>>>
>>
--
Klaus Conrad
mailto:k...@ilk.net
ILK Internet GmbH
Am Sandfeld 15
76149 Karlsruhe
Deutschland
Tel. +49 (0) 721 9100 0
Fax +49 (0) 721 9100 191
http://www.ilk.net/
Geschäftsführer: Matthias Felger
AG Mannheim, HRB 107037
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
