[pmacct-discussion] ifindex and netmask records

[Richard A Steenbergen]

Hello,

I just started playing with pmacct tonight, so pardon me if these are a 
stupid question, but I'm wondering if it is possible to do the following 
things:

* Record (and aggregate on) the address of the router that exported a 
flow via netflow/sflow. Basically I just want to know which router 
exported the flow to me, using either the agent address if available (on 
sflow, etc), or the source address of the netflow packet. 

* Record (and aggregate on) the src/dst ifindexes that are exported via 
sflow/netflow protocols. Obviously this would be paired with the router 
id mentioned above to give the ifindex meaning, :)

* Record the mask that was used in a src/dst_net aggregator. I figured 
out how to dynamically aggregate by the netmask value exported via 
netflow/sflow (via the pmacct changelog, it doesn't seem to be in the 
documentation anywhere I could find), but it doesn't record the netmask 
that was used. For example, say I receive an export for a flow to 
1.2.3.4 which has a destination route of 1.2.0.0/16. I want to 
dynamically aggregate this to 1.2.0.0/16, but currently the only data 
being stored is 1.2.0.0. This leaves me with no way to know that the dst 
route was a /16, and probably no way to correctly record the difference 
between a packet going to 1.2.0.0/16 (for example dst ip 1.2.255.255) 
and 1.2.0.0/17 (for example dst ip 1.2.0.0). It seems like the netmask 
would need to be recorded for this to have any chance of working 
properly.

-- 
Richard A Steenbergen r...@e-gerbil.net   http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] ifindex and netmask records

[Paolo Lucente]

Hi Richard,

On Fri, Apr 02, 2010 at 03:12:23AM -0500, Richard A Steenbergen wrote:

 * Record (and aggregate on) the address of the router that exported a 
 flow via netflow/sflow. Basically I just want to know which router 
 exported the flow to me, using either the agent address if available (on 
 sflow, etc), or the source address of the netflow packet. 

As Nitzan correctly mentioned, pre-tagging should be used for this. The
idea is you get a tag instead of the IP address of the NetFlow/sFlow
exporter. If doesn't suit, just let me know: I would see it as a good
feature request.

 * Record (and aggregate on) the src/dst ifindexes that are exported via 
 sflow/netflow protocols. Obviously this would be paired with the router 
 id mentioned above to give the ifindex meaning, :)

As of 0.12.1 (which will be out in roughly a week) or the code currently
in the CVS you have the in_iface and out_iface aggregation primitives.

The legacy way (up to 0.12.0) to do it was via pre-tagging as per the
point before. Of course pre-tagging (so map ifindexes to tags) can still
be used when a stricter control (filter out un-needed stuff) is required
as part of the aggregation process. 

 * Record the mask that was used in a src/dst_net aggregator. I figured 
 out how to dynamically aggregate by the netmask value exported via 
 netflow/sflow (via the pmacct changelog, it doesn't seem to be in the 
 documentation anywhere I could find), but it doesn't record the netmask 
 that was used. For example, say I receive an export for a flow to 

 [ ... ]

As of 0.12.1 (which will be out in roughly a week) or the code currently
in the CVS you have the src_mask and dst_mask aggregation primitives :-)
You have also a set of [ nfacctd_net | sfacctd_net | pmacctd_net ] config
directives which have as values [ netflow | sflow | mask | file | bgp ].
It means the network prefix and the netmask can be explicitely grasped out
of: netflow, sflow, bgp, a networks_file: a file where some networks are
listed (can be also a dump of the full BGP table) which makes sense going
libpcap or ULOG really or a static netwosk_mask directive: ie. aggregate
everything to /24: it makes sense once again if going libpcap or ULOG.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists