Working further on this, it seems that for pmacct is sufficient to filter
traffic using only the pre_tag_filter, thus no need for the aggregation
filters.
The issue with this setup though is that I loose the information of the
pre_nat source IP address when monitoring at the WAN interfaces. Due to
this I am switching to uacctd as following:
!
daemonize: true
promisc: false
uacctd_group: 1
!networks_file: networks.lst
!ports_file: ports.lst
!
pre_tag_map: pretag2.map
pre_tag_filter[print_wan0_in]: 1
pre_tag_filter[print_wan0_out]: 2
pre_tag_filter[wan0_in]: 1
pre_tag_filter[wan0_out]: 2
!
plugins: print[print_wan0_in], print[print_wan0_out], mysql[wan0_in],
mysql[wan0_out]
plugin_pipe_size[wan0_in]: 1024000
plugin_pipe_size[wan0_out]: 1024000
print_refresh_time: 10
print_history: 15m
print_output_file_append: true
!
print_output[print_wan0_in]: csv
print_output_file[print_wan0_in]: in_traffic.csv
print_output[print_wan0_out]: csv
print_output_file[print_wan0_out]: out_traffic.csv
!
aggregate[print_wan0_in]: dst_host, src_port, dst_port, proto
aggregate[print_wan0_out]: src_host, src_port, dst_port, proto
!
sql_table[wan0_in]: traffic_wan0_in_%Y%m%d_%H%M
sql_table[wan0_out]: traffic_wan0_out_%Y%m%d_%H%M
!
sql_table_schema[wan0_in]: traffic_wan0_in.schema
sql_table_schema[wan0_out]: traffic_wan0_out.schema
!
sql_host: localhost
sql_db : uacct
sql_user : uacct
sql_passwd: uacct
sql_refresh_time: 30
sql_optimize_clauses: true
sql_history : 24h
sql_history_roundoff: mhd
!
aggregate[wan0_in]: dst_host, src_port, dst_port, proto
aggregate[wan0_out]: src_host, src_port, dst_port, proto
Where pretag2.map:
set_tag=1 filter='src net 192.168.28.0/24 or src net 192.168.100.0/24'
set_tag=2 filter='dst net 192.168.28.0/24 or dst net 192.168.100.0/24'
The issue I have with the above config is that no traffic is being
collected at all. I confirm that when removing the pre_tag filters, traffic
is collected, though it is not sorted per direction as I would like to
have.
Can I use pre_tag_map and pre_tag_filter with uacctd? I don't see any
examples for uacctd at
https://github.com/pmacct/pmacct/blob/master/examples/pretag.map.example.
Thanx,
Alex
On Thu, Feb 20, 2020 at 6:33 PM Alex K wrote:
> Hi all,
>
> I have a router with multiple interfaces and will need to account traffic
> at its several WAN interfaces. My purpose is toaccount the traffic with the
> tuple details and the direction.
>
> As a test I have compiled the following simple configuration for pmacctd:
>
> !
> daemonize: true
> plugins: print[wan0_in], print[wan0_out]
> print_refresh_time: 10
> print_history: 15m
> !
> print_output[wan0_in]: csv
> print_output_file[wan0_in]: in_traffic.csv
> print_output[wan0_out]: csv
> print_output_file[wan0_out]: out_traffic.csv
> !
> aggregate[wan0_in]: src_host, dst_host, src_port, dst_port, tag
> aggregate[wan0_out]: src_host, dst_host, src_port, dst_port, tag
> !
> pre_tag_filter[wan0_in]:1
> pre_tag_filter[wan0_out]:2
> !
> pcap_interface: eth0
> pre_tag_map: pretag.map
> networks_file: networks.lst
> ports_file: ports.lst
> !
>
> where pretag.map is:
> set_tag=1 filter='ether dst 52:54:00:69:a6:0b'
> set_tag=2 filter='ether src 52:54:00:69:a6:0b'
>
> and networks.lst is:
> 10.100.100.0/24
>
> It seems that the details output at the CSV are correctly filtered
> according to the tag, thus recording the direction also, based on the MAC
> address of the WAN0 interface.
>
> Is this the correct approach to achieve this or is there any other
> recommended way? Do I need to use aggregate_filters?
>
> Also, although I have set a network filter to capture only 10.100.100.0/24,
> I observe several networks in/out being collected, indicating that the
> network_file directive is ignored or I have misunderstood its purpose. My
> purpose it to collect traffic only generated from subnets that belong to
> configured interfaces of the router.
>
> Thanx for your feedback!
> Alex
>
>
>
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
