Hi Stig,
Very briefly to confirm: a) you are correct, libpcap captures
both inbound and outbound traffic and b) the workaround you
have put in place not only makes sense but is also by far the
most efficient way to filter traffic out of pmacctd.
Cheers,
Paolo
On Tue, Aug 04, 2009 at 10:39:00AM -0700, Stig Thormodsrud wrote:
I notice with multiple interfaces that I get duplicate flows. If I recall
correctly a cisco router does netflow only on input while it seems pcap
captures both inbound outbound packets. My work around to filter out
the output flows was to use a pcap_filter such as:
!
daemonize: true
promisc: false
pidfile: /var/run/pmacctd-eth0.pid
imt_path: /tmp/pmacctd-eth0.pipe
plugins: nfprobe, memory
aggregate: src_host,dst_host,src_port,dst_port,proto,tos,flows,tag
interface: eth0
syslog: daemon
! filter out packets with the mac address of eth0
pcap_filter: !ether src 00:0c:29:8c:53:7c
nfprobe_receiver: 172.16.117.25:2100
nfprobe_version: 5
nfprobe_engine: 1:2
post_tag: 2
Is this the approach others are using with multiple interfaces or is there
a better way?
Thanks,
stig
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
