Hi Robert,
Apologies for the late reply: indeed from the log it appears only
templates are received; if flows would be malformed, they would show up
in the log. Are you sure flow data is making it to the collector, could
you verify with - say - tcpdump?
If all looks good on the wire, and should you still need help with this,
i'd ask you to send me a brief capture in pcap format to look into to
see what may be going wrong.
Paolo
On 26/10/24 05:35, Robert Blayzor wrote:
I am attempting to collect NAT logging from a CGN router using BPA.
For whatever reason, nfacctd never seems to see the incoming packets as
flows. (flows always 0)
All I really want to do at this point is collect the Netflow records
coming in and just drop them in a log (for now). Once I can manage to
get that working I may work on a pgsql DB.
The data is getting to nfacctd but I'm unsure what the problem is. I
have tried the memory plugin as set, attempting to view collected data
there, and the list also always empty...
More info:
nfacctd -V
NetFlow Accounting Daemon, nfacctd 1.7.8-git [RELEASE]
Arguments:
'--disable-avro' '--disable-debug' '--disable-geoipv2'
'--disable-kafka' '--enable-l2' '--disable-mysql' '--enable-pgsql'
'--disable-rabbitmq' '--disable-redis' '--disable-sqlite3'
'--prefix=/usr/local' '--localstatedir=/var'
'--mandir=/usr/local/share/man' '--disable-silent-rules'
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.1'
'build_alias=amd64-portbld-freebsd14.1' 'CC=cc' 'CFLAGS=-O2 -pipe
-fstack-protector-strong -isystem /usr/local/include
-fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib
-fstack-protector-strong ' 'LIBS=-L/usr/local/lib'
'CPPFLAGS=-I/usr/local/include -isystem /usr/local/include'
'PKG_CONFIG=pkgconf'
'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/net-mgmt/pmacct/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing -isystem /usr/local/include ' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'
Libs:
cdada 0.4.0
libpcap version 1.10.4
PostgreSQL 160004
Plugins:
memory
print
nfprobe
sfprobe
tee
postgresql
System:
FreeBSD 14.1-RELEASE-p4 FreeBSD 14.1-RELEASE-p4 GENERIC amd64
Compiler:
clang 18.1.5
cat nfacctd.conf
#pre_tag_map: map_id=1 netflow_template=267 tag=template_267
#
plugins: print
#
aggregate_primitives: primitives.lst
#
aggregate: timestamp_arrival,src_host, post_nat_src_host,
src_port,nat_event, portRangeStart, portRangeStepSize, portRangeNumPorts
#
print_output: csv
print_output_file: /var/tmp/flows-%Y%m%d-%H%M.txt
print_output_file_append: true
print_history_roundoff: m
cat primitives.lst
name=portRangeStart field_type=361 len=2 semantics=u_int
name=portRangeStepSize field_type=363 len=2 semantics=u_int
name=portRangeNumPorts field_type=364 len=2 semantics=u_int
[~]$ nfacctd -l 9991 -f nfacctd.conf -d
DEBUG: [nfacctd.conf] plugin name/type: 'default'/'core'.
DEBUG: [nfacctd.conf] plugin name/type: 'default_print'/'print'.
DEBUG: [nfacctd.conf] aggregate_primitives:./primitives.lst
DEBUG: [nfacctd.conf] aggregate:timestamp_arrival,src_host,
post_nat_src_host, src_port,nat_event, portRangeStart,
portRangeStepSize, portRangeNumPorts
DEBUG: [nfacctd.conf] print_output:csv
DEBUG: [nfacctd.conf] print_output_file:/var/tmp/flows-%Y%m%d-%H%M.txt
DEBUG: [nfacctd.conf] print_output_file_append:true
DEBUG: [nfacctd.conf] print_history_roundoff:m
DEBUG: [nfacctd.conf] nfacctd_port:9991
DEBUG: [nfacctd.conf] debug:true
INFO ( default/core ): NetFlow Accounting Daemon, nfacctd 1.7.8-git
(RELEASE)
INFO ( default/core ): '--disable-avro' '--disable-debug'
'--disable-geoipv2' '--disable-kafka' '--enable-l2' '--disable-mysql'
'--enable-pgsql' '--disable-rabbitmq' '--disable-redis'
'--disable-sqlite3' '--prefix=/usr/local' '--localstatedir=/var'
'--mandir=/usr/local/share/man' '--disable-silent-rules'
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.1'
'build_alias=amd64-portbld-freebsd14.1' 'CC=cc' 'CFLAGS=-O2 -pipe
-fstack-protector-strong -isystem /usr/local/include
-fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib
-fstack-protector-strong ' 'LIBS=-L/usr/local/lib'
'CPPFLAGS=-I/usr/local/include -isystem /usr/local/include'
'PKG_CONFIG=pkgconf'
'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/net-mgmt/pmacct/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing -isystem /usr/local/include ' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'
INFO ( default/core ): Reading configuration file '/opt/inoc/nfacctd.conf'.
INFO ( default/core ): [./primitives.lst] (re)loading map.
INFO ( default/core ): [./primitives.lst] map successfully (re)loaded.
DEBUG ( default/core ): Custom primitive 'portrangestart':
type=ffff000000000001 off=0 len=2
DEBUG ( default/core ): Custom primitive 'portrangestepsize':
type=ffff000000000002 off=2 len=2
DEBUG ( default/core ): Custom primitive 'portrangenumports':
type=ffff000000000004 off=4 len=2
DEBUG ( default/core ): Custom primitive 'portrangestart':
type=ffff000000000001 off=0 len=2
DEBUG ( default/core ): Custom primitive 'portrangestepsize':
type=ffff000000000002 off=2 len=2
DEBUG ( default/core ): Custom primitive 'portrangenumports':
type=ffff000000000004 off=4 len=2
INFO ( default_print/print ): plugin_pipe_size=4096000 bytes
plugin_buffer_size=368 bytes
INFO ( default_print/print ): ctrl channel: obtained=89040 bytes
target=89040 bytes
INFO ( default/core ): waiting for NetFlow/IPFIX data on
64.246.132.194:9991
INFO ( default_print/print ): cache entries=16411 base cache
memory=54878384 bytes
DEBUG ( default/core ): Received NetFlow/IPFIX packet from
[x.x.x.x:53463] version [9] seqno [268]
DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [0] from
[x.x.x.x:53463] seqno [268]
DEBUG ( default/core ): NfV9 agent : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 267
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): | pen | field type |
offset | size |
DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] | 0
| 4 |
DEBUG ( default/core ): | 0 | 225 [225 ] | 4
| 4 |
DEBUG ( default/core ): | 0 | 234 [234 ] | 8
| 4 |
DEBUG ( default/core ): | 0 | L4 protocol [4 ] | 12
| 1 |
DEBUG ( default/core ): | 0 | 230 [230 ] | 13
| 1 |
DEBUG ( default/core ): | 0 | 323 [323 ] | 14
| 8 |
DEBUG ( default/core ): | 0 | 361 [361 ] | 22
| 2 |
DEBUG ( default/core ): | 0 | 363 [363 ] | 24
| 2 |
DEBUG ( default/core ): | 0 | 364 [364 ] | 26
| 2 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 28
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 266
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): | pen | field type |
offset | size |
DEBUG ( default/core ): | 0 | 283 [283 ] | 0
| 4 |
DEBUG ( default/core ): | 0 | 230 [230 ] | 4
| 1 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 5
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 265
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): | pen | field type |
offset | size |
DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] | 0
| 4 |
DEBUG ( default/core ): | 0 | 225 [225 ] | 4
| 4 |
DEBUG ( default/core ): | 0 | L4 src port [7 ] | 8
| 2 |
DEBUG ( default/core ): | 0 | 227 [227 ] | 10
| 2 |
DEBUG ( default/core ): | 0 | 234 [234 ] | 12
| 4 |
DEBUG ( default/core ): | 0 | L4 protocol [4 ] | 16
| 1 |
DEBUG ( default/core ): | 0 | 230 [230 ] | 17
| 1 |
DEBUG ( default/core ): | 0 | 323 [323 ] | 18
| 8 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 26
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID : 264
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): | pen | field type |
offset | size |
DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] | 0
| 4 |
DEBUG ( default/core ): | 0 | 225 [225 ] | 4
| 4 |
DEBUG ( default/core ): | 0 | IPv4 dst addr [12 ] | 8
| 4 |
DEBUG ( default/core ): | 0 | 226 [226 ] | 12
| 4 |
DEBUG ( default/core ): | 0 | L4 src port [7 ] | 16
| 2 |
DEBUG ( default/core ): | 0 | 227 [227 ] | 18
| 2 |
DEBUG ( default/core ): | 0 | L4 dst port [11 ] | 20
| 2 |
DEBUG ( default/core ): | 0 | 228 [228 ] | 22
| 2 |
DEBUG ( default/core ): | 0 | 234 [234 ] | 24
| 4 |
DEBUG ( default/core ): | 0 | L4 protocol [4 ] | 28
| 1 |
DEBUG ( default/core ): | 0 | 230 [230 ] | 29
| 1 |
DEBUG ( default/core ): | 0 | 323 [323 ] | 30
| 8 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 38
DEBUG ( default/core ):
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists