Hi Robert,

Apologies for the late reply: indeed from the log it appears only templates are received; if flows would be malformed, they would show up in the log. Are you sure flow data is making it to the collector, could you verify with - say - tcpdump?

If all looks good on the wire, and should you still need help with this, i'd ask you to send me a brief capture in pcap format to look into to see what may be going wrong.

Paolo


On 26/10/24 05:35, Robert Blayzor wrote:
I am attempting to collect NAT logging from a CGN router using BPA.

For whatever reason, nfacctd never seems to see the incoming packets as flows. (flows always 0)

All I really want to do at this point is collect the Netflow records coming in and just drop them in a log (for now). Once I can manage to get that working I may work on a pgsql DB.

The data is getting to nfacctd but I'm unsure what the problem is. I have tried the memory plugin as set, attempting to view collected data there, and the list also always empty...


More info:

nfacctd -V
NetFlow Accounting Daemon, nfacctd 1.7.8-git [RELEASE]

Arguments:
 '--disable-avro' '--disable-debug' '--disable-geoipv2' '--disable-kafka' '--enable-l2' '--disable-mysql' '--enable-pgsql' '--disable-rabbitmq' '--disable-redis' '--disable-sqlite3' '--prefix=/usr/local' '--localstatedir=/var' '--mandir=/usr/local/share/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.1' 'build_alias=amd64-portbld-freebsd14.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include -isystem /usr/local/include' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/net-mgmt/pmacct/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -isystem /usr/local/include ' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'

Libs:
cdada 0.4.0
libpcap version 1.10.4
PostgreSQL 160004

Plugins:
memory
print
nfprobe
sfprobe
tee
postgresql

System:
FreeBSD 14.1-RELEASE-p4 FreeBSD 14.1-RELEASE-p4 GENERIC amd64

Compiler:
clang 18.1.5




cat nfacctd.conf
#pre_tag_map: map_id=1 netflow_template=267 tag=template_267
#
plugins: print
#
aggregate_primitives: primitives.lst
#
aggregate: timestamp_arrival,src_host, post_nat_src_host, src_port,nat_event, portRangeStart, portRangeStepSize, portRangeNumPorts
#
print_output: csv
print_output_file: /var/tmp/flows-%Y%m%d-%H%M.txt
print_output_file_append: true
print_history_roundoff: m




cat primitives.lst
name=portRangeStart field_type=361  len=2  semantics=u_int
name=portRangeStepSize field_type=363   len=2    semantics=u_int
name=portRangeNumPorts field_type=364   len=2    semantics=u_int


[~]$ nfacctd -l 9991 -f nfacctd.conf -d
DEBUG: [nfacctd.conf] plugin name/type: 'default'/'core'.
DEBUG: [nfacctd.conf] plugin name/type: 'default_print'/'print'.
DEBUG: [nfacctd.conf] aggregate_primitives:./primitives.lst
DEBUG: [nfacctd.conf] aggregate:timestamp_arrival,src_host, post_nat_src_host, src_port,nat_event, portRangeStart, portRangeStepSize, portRangeNumPorts
DEBUG: [nfacctd.conf] print_output:csv
DEBUG: [nfacctd.conf] print_output_file:/var/tmp/flows-%Y%m%d-%H%M.txt
DEBUG: [nfacctd.conf] print_output_file_append:true
DEBUG: [nfacctd.conf] print_history_roundoff:m
DEBUG: [nfacctd.conf] nfacctd_port:9991
DEBUG: [nfacctd.conf] debug:true
INFO ( default/core ): NetFlow Accounting Daemon, nfacctd 1.7.8-git (RELEASE) INFO ( default/core ):  '--disable-avro' '--disable-debug' '--disable-geoipv2' '--disable-kafka' '--enable-l2' '--disable-mysql' '--enable-pgsql' '--disable-rabbitmq' '--disable-redis' '--disable-sqlite3' '--prefix=/usr/local' '--localstatedir=/var' '--mandir=/usr/local/share/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd14.1' 'build_alias=amd64-portbld-freebsd14.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include -isystem /usr/local/include' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/net-mgmt/pmacct/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/local/share/pkgconfig:/usr/libdata/pkgconfig' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing  -isystem /usr/local/include ' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'
INFO ( default/core ): Reading configuration file '/opt/inoc/nfacctd.conf'.
INFO ( default/core ): [./primitives.lst] (re)loading map.
INFO ( default/core ): [./primitives.lst] map successfully (re)loaded.
DEBUG ( default/core ): Custom primitive 'portrangestart': type=ffff000000000001 off=0 len=2 DEBUG ( default/core ): Custom primitive 'portrangestepsize': type=ffff000000000002 off=2 len=2 DEBUG ( default/core ): Custom primitive 'portrangenumports': type=ffff000000000004 off=4 len=2 DEBUG ( default/core ): Custom primitive 'portrangestart': type=ffff000000000001 off=0 len=2 DEBUG ( default/core ): Custom primitive 'portrangestepsize': type=ffff000000000002 off=2 len=2 DEBUG ( default/core ): Custom primitive 'portrangenumports': type=ffff000000000004 off=4 len=2 INFO ( default_print/print ): plugin_pipe_size=4096000 bytes plugin_buffer_size=368 bytes INFO ( default_print/print ): ctrl channel: obtained=89040 bytes target=89040 bytes INFO ( default/core ): waiting for NetFlow/IPFIX data on 64.246.132.194:9991 INFO ( default_print/print ): cache entries=16411 base cache memory=54878384 bytes

DEBUG ( default/core ): Received NetFlow/IPFIX packet from [x.x.x.x:53463] version [9] seqno [268] DEBUG ( default/core ): Processing NetFlow/IPFIX flowset [0] from [x.x.x.x:53463] seqno [268]
DEBUG ( default/core ): NfV9 agent         : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID   : 267
DEBUG ( default/core ): ------------------------------------------------------------- DEBUG ( default/core ): |    pen     |         field type         | offset |  size  | DEBUG ( default/core ): | 0          | IPv4 src addr      [8    ] | 0 |      4 | DEBUG ( default/core ): | 0          | 225                [225  ] | 4 |      4 | DEBUG ( default/core ): | 0          | 234                [234  ] | 8 |      4 | DEBUG ( default/core ): | 0          | L4 protocol        [4    ] | 12 |      1 | DEBUG ( default/core ): | 0          | 230                [230  ] | 13 |      1 | DEBUG ( default/core ): | 0          | 323                [323  ] | 14 |      8 | DEBUG ( default/core ): | 0          | 361                [361  ] | 22 |      2 | DEBUG ( default/core ): | 0          | 363                [363  ] | 24 |      2 | DEBUG ( default/core ): | 0          | 364                [364  ] | 26 |      2 | DEBUG ( default/core ): -------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 28
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent         : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID   : 266
DEBUG ( default/core ): ------------------------------------------------------------- DEBUG ( default/core ): |    pen     |         field type         | offset |  size  | DEBUG ( default/core ): | 0          | 283                [283  ] | 0 |      4 | DEBUG ( default/core ): | 0          | 230                [230  ] | 4 |      1 | DEBUG ( default/core ): -------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 5
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent         : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID   : 265
DEBUG ( default/core ): ------------------------------------------------------------- DEBUG ( default/core ): |    pen     |         field type         | offset |  size  | DEBUG ( default/core ): | 0          | IPv4 src addr      [8    ] | 0 |      4 | DEBUG ( default/core ): | 0          | 225                [225  ] | 4 |      4 | DEBUG ( default/core ): | 0          | L4 src port        [7    ] | 8 |      2 | DEBUG ( default/core ): | 0          | 227                [227  ] | 10 |      2 | DEBUG ( default/core ): | 0          | 234                [234  ] | 12 |      4 | DEBUG ( default/core ): | 0          | L4 protocol        [4    ] | 16 |      1 | DEBUG ( default/core ): | 0          | 230                [230  ] | 17 |      1 | DEBUG ( default/core ): | 0          | 323                [323  ] | 18 |      8 | DEBUG ( default/core ): -------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 26
DEBUG ( default/core ):
DEBUG ( default/core ): NfV9 agent         : x.x.x.x:200
DEBUG ( default/core ): NfV9 template type : flow
DEBUG ( default/core ): NfV9 template ID   : 264
DEBUG ( default/core ): ------------------------------------------------------------- DEBUG ( default/core ): |    pen     |         field type         | offset |  size  | DEBUG ( default/core ): | 0          | IPv4 src addr      [8    ] | 0 |      4 | DEBUG ( default/core ): | 0          | 225                [225  ] | 4 |      4 | DEBUG ( default/core ): | 0          | IPv4 dst addr      [12   ] | 8 |      4 | DEBUG ( default/core ): | 0          | 226                [226  ] | 12 |      4 | DEBUG ( default/core ): | 0          | L4 src port        [7    ] | 16 |      2 | DEBUG ( default/core ): | 0          | 227                [227  ] | 18 |      2 | DEBUG ( default/core ): | 0          | L4 dst port        [11   ] | 20 |      2 | DEBUG ( default/core ): | 0          | 228                [228  ] | 22 |      2 | DEBUG ( default/core ): | 0          | 234                [234  ] | 24 |      4 | DEBUG ( default/core ): | 0          | L4 protocol        [4    ] | 28 |      1 | DEBUG ( default/core ): | 0          | 230                [230  ] | 29 |      1 | DEBUG ( default/core ): | 0          | 323                [323  ] | 30 |      8 | DEBUG ( default/core ): -------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 38
DEBUG ( default/core ):


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to