Re: [pmacct-discussion] Problem with running pmacct to monitor
This one time, at band camp, zulkarnain wrote: syslog:daemon interface: eth0,eth1 Change this to interface: eth0 and copy it to pmacct.eth0.conf and make another copy pmacct.eth1.conf and set interface: eth1 Then run two pmacctds: pmacctd -f pmacct.eth0.conf pmacctd -f pmacct.eth1.conf Or, don't specify an interface at all in the config file, and specify the interface on the command line: pmacctd -i eth0 -f pmacct.conf pmacctd -i eth1 -f pmacct.conf You'll have to check the manual to make sure the options are correct, I'm just going from memory. ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Comparing nfacctd and pmacctd
Hello, Peter, In order to see the traffic in both directions, you have to enable cache-flow on both interfaces - incoming and outgoing for your network. I'm using a Cisco to gather billing and traffic accounting statistics with netflow, but I'm not using NAT. Firstly, you have to enable it: ip flow-cache timeout active 2 This enables a 2 minute active timeout for flows. Then, on each of your interfaces, f.e. : interface GigabitEthernet0/1 ip route-cache flow interface GigabitEthernet0/2 ip route-cache flow And finally to send the netflow data to a nfacctd, or any other NetFlow accounting software: ip flow-export version 5 origin-as ip flow-export destination 192.168.1.2 Hope this helps. On Mon, 22 May 2006 23:35:08 +0300 Peter Nixon [EMAIL PROTECTED] wrote: Hi List As a relative newbie to netflow can someone confirm for me whether or not netflow records from a single interface of a cisco router contain information about packets in BOTH directions or only one? I am attempting to replace a linux box acting as a router running pmacctd with a cisco router running netflow sending records to nfacctd. The tricky bit is that I am running NAT on the external interface of the router with a private IP block behind it and I need to see data on inbound AND outbound traffic. With pmacctd on a linux box I can see data in both directions on the internal interface(s) but I don't appear to be getting it with the cisco. If in enable ip route-cache flow on the external interface I see all the flows related to the external NAT IP which is useless as I need to match it to the hosts behind. I have also tried to setup a looback interface, with netflow enabled on it, and route all traffic via it, but I dont seem to be receiving any flow records from it. Can anyone help? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- Regards, Nickola pgpeKKyermqyi.pgp Description: PGP signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Comparing nfacctd and pmacctd
Hi Nikola I already have a configuration almost identical to yours. As I mentioned below, I am happily getting data from the external interface also however the flows are all hidden by the single nat overload which means I have no way to associate them with the traffic on the internal interface. Does anyone have a way to resolve this? I figure that there must be a way to get around this problem by using a loopback interface but as yet I haven't figured out the correct configuration. Cheers Peter On Tue 23 May 2006 10:38, Nickola Kolev wrote: Hello, Peter, In order to see the traffic in both directions, you have to enable cache-flow on both interfaces - incoming and outgoing for your network. I'm using a Cisco to gather billing and traffic accounting statistics with netflow, but I'm not using NAT. Firstly, you have to enable it: ip flow-cache timeout active 2 This enables a 2 minute active timeout for flows. Then, on each of your interfaces, f.e. : interface GigabitEthernet0/1 ip route-cache flow interface GigabitEthernet0/2 ip route-cache flow And finally to send the netflow data to a nfacctd, or any other NetFlow accounting software: ip flow-export version 5 origin-as ip flow-export destination 192.168.1.2 Hope this helps. On Mon, 22 May 2006 23:35:08 +0300 Peter Nixon [EMAIL PROTECTED] wrote: Hi List As a relative newbie to netflow can someone confirm for me whether or not netflow records from a single interface of a cisco router contain information about packets in BOTH directions or only one? I am attempting to replace a linux box acting as a router running pmacctd with a cisco router running netflow sending records to nfacctd. The tricky bit is that I am running NAT on the external interface of the router with a private IP block behind it and I need to see data on inbound AND outbound traffic. With pmacctd on a linux box I can see data in both directions on the internal interface(s) but I don't appear to be getting it with the cisco. If in enable ip route-cache flow on the external interface I see all the flows related to the external NAT IP which is useless as I need to match it to the hosts behind. I have also tried to setup a looback interface, with netflow enabled on it, and route all traffic via it, but I dont seem to be receiving any flow records from it. Can anyone help? -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc pgpPTveD4h382.pgp Description: PGP signature ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Comparing nfacctd and pmacctd
Hi Peter, Peter Nixon, 23.05.2006 09:52: I already have a configuration almost identical to yours. As I mentioned below, I am happily getting data from the external interface also however the flows are all hidden by the single nat overload which means I have no way to associate them with the traffic on the internal interface. Does anyone have a way to resolve this? I figure that there must be a way to get around this problem by using a loopback interface but as yet I haven't figured out the correct configuration. maybe this is a terminology problem. So first I will state some things, which are probably already clear: 1. A flow always has _one_ direction. So if you look at a TCP connection on whatever interface, you will get two flows for that connection. 2. On each interface you can meter both the ingress and egress traffic, that is the traffic leaving and entering the router. If your router has only two active interfaces, you will meter on both interfaces almost the same amount of traffic (beside the traffic directly to/from the router, like webinterface/netflow...). So, if you want to see the packets on the inner side of the NAT process, it makes no sense to meter on the external interface. Just meter on the internal interface and you should be fine. If you want to do something exotic, like recording which port-translation is done by the NAT process, either the metering has to be done by the NAT process itself, or the packets have to be tagged and metered on both interfaces, so that you can export two flows, which are linked somehow, for example with a FlowID. But if at all, this is only possible with Netflow v9 or IPFIX. Hope, that helps a bit. Cheers, Sven -- Sven Anderson Institute for Informatics - http://www.ifi.informatik.uni-goettingen.de Georg-August-Universitaet Goettingen Lotzestr. 16-18, 37083 Goettingen, Germany ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] How to make this configuration file more simple?
Hi all,I would like to monitor all traffic from my network for each host. My configuration become hard to maintaine each time I add a host to monitor. Is there any tricks how to make this configuration more simple?aggregate[inbound1]: dst_host aggregate[outbound1]: src_host aggregate_filter[inbound1]: dst host 192.168.1.1/32 aggregate_filter[outbound1]: src host 192.168.1.1/32 aggregate[inbound2]: dst_host aggregate[outbound2]: src_host aggregate_filter[inbound2]: dst host 192.168.2.1/32 aggregate_filter[outbound2]: src host 192.168.2.1/32 aggregate[inbound3]: dst_host aggregate[outbound3]: src_host aggregate_filter[inbound3]: dst host 192.168.3.1/32 aggregate_filter[outbound3]: src host 192.168.3.1/32 aggregate[inbound4]: dst_host aggregate[outbound4]: src_host aggregate_filter[inbound4]: dst host 192.168.4.1/32 aggregate_filter[outbound4]: src host 192.168.4.1/32 plugins: mysql[inbound1], mysql[outbound1],mysql[inbound2], mysql[outbound2],mysql[inbound3],mysql[outbound3],mysql[inbound4], mysql[outbound4]plugin_pipe_size:1024000 plugin_buffer_size:8192sql_table[inbound1]: acct_ineth1 sql_table[outbound1]: acct_outeth1 sql_table[inbound2]: acct_ineth1 sql_table[outbound2]: acct_outeth1 sql_table[inbound3]: acct_ineth1 sql_table[outbound3]: acct_outeth1 sql_table[inbound4]: acct_ineth1 sql_table[outbound4]: acct_outeth1 Thanks! ---Zul Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min. Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2ยข/min with Yahoo! Messenger with Voice.___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
