Re: [pmacct-discussion] Pmacct configuration with direction of traffic
Here is the output when running in debug mode: INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd (20200222-01) INFO ( default/core ): '--prefix=/usr' '--enable-mysql' '--enable-nflog' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' INFO ( default/core ): Reading configuration file '/root/pmacct/uacctd2.conf'. INFO ( print_wan0_in/print ): plugin_pipe_size=4096000 bytes plugin_buffer_size=280 bytes INFO ( print_wan0_in/print ): ctrl channel: obtained=212992 bytes target=117024 bytes INFO ( print_wan0_out/print ): plugin_pipe_size=4096000 bytes plugin_buffer_size=280 bytes INFO ( print_wan0_out/print ): ctrl channel: obtained=212992 bytes target=117024 bytes INFO ( print_wan0_in/print ): cache entries=16411 base cache memory=54878384 bytes INFO ( default/core ): [pretag2.map] (re)loading map. INFO ( print_wan0_out/print ): cache entries=16411 base cache memory=54878384 bytes INFO ( default/core ): [pretag2.map] map successfully (re)loaded. INFO ( default/core ): [pretag2.map] (re)loading map. INFO ( default/core ): [pretag2.map] map successfully (re)loaded. INFO ( default/core ): [pretag2.map] (re)loading map. INFO ( default/core ): [pretag2.map] map successfully (re)loaded. INFO ( default/core ): Successfully connected Netlink NFLOG socket It doesn't seem to have any issues loading the maps, though it is not collecting anything. When capturing with tcpdump I see packets going through: tcpdump -n -vv -i nflog:1 09:16:05.831131 IP (tos 0x0, ttl 64, id 36511, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.28.11 > 8.8.8.8: ICMP echo request, id 17353, seq 1, length 64 09:16:05.831362 IP (tos 0x0, ttl 49, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 192.168.28.11: ICMP echo reply, id 17353, seq 1, length 64 09:16:05.831392 IP (tos 0x0, ttl 64, id 36682, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.28.11 > 8.8.8.8: ICMP echo request, id 17353, seq 2, length 64 09:16:06.855200 IP (tos 0x0, ttl 49, id 0, offset 0, flags [none], proto ICMP (1), length 84) 8.8.8.8 > 192.168.28.11: ICMP echo reply, id 17353, seq 2, length 64 The pmacct version I am running is latest master. Thank you for your assistance. Alex On Mon, Feb 24, 2020 at 6:20 PM Alex K wrote: > Hi Paolo, > > On Sat, Feb 22, 2020 at 4:18 PM Paolo Lucente wrote: > >> >> Hi Alex, >> >> Is it possible with the new setup - the one where pre_tag_map does not >> match anything - the traffic is VLAN-tagged (or MPLS-labelled)? If so, >> you should adjust filters accordingly and add 'vlan and', ie. "vlan and >> src net 192.168.28.0/24 or vlan and src net 192.168.100.0/24". >> > The traffic is not VLAN or MPLS. It is simple one. I confirm I can collect > traffic when removing the pretag directives. Also when stopping uacctd, I > can capture traffic at nflog:1 interface. > I simplified the configuration as below: > > ! > daemonize: true > promisc: false > uacctd_group: 1 > ! > pre_tag_map: pretag2.map > pre_tag_filter[print_wan0_in]: 1 > pre_tag_filter[print_wan0_out]: 2 > ! > !- > plugins: print[print_wan0_in], print[print_wan0_out] > print_refresh_time: 10 > print_history: 15m > print_output_file_append: true > ! > print_output[print_wan0_in]: csv > print_output[print_wan0_out]: csv > print_output_file[print_wan0_in]: traffic-wan0-in.csv > print_output_file[print_wan0_out]: traffic-wan0-out.csv > ! > aggregate[print_wan0_in]: tag, src_host, dst_host, src_port, dst_port, > proto > aggregate[print_wan0_out]: tag, src_host, dst_host, src_port, dst_port, > proto > ! > > with pretag2.map > set_tag=1 filter='src net 192.168.28.0/24' > set_tag=2 filter='dst net 192.168.28.0/24' > > As soon as I enable the pretag directives as below, I do not see any > traffic being collected from uacctd at NFLOG goup 1 > > pre_tag_map: pretag2.map > pre_tag_filter[print_wan0_in]: 1 > pre_tag_filter[print_wan0_out]: 2 > > I am running pmacct 1.7.4. > > >> Paolo >> >> On Fri, Feb 21, 2020 at 01:04:25PM +0200, Alex K wrote: >> > Working further on this, it seems that for pmacct is sufficient to >> filter >> > traffic using only the pre_tag_filter, thus no need for the aggregation >> > filters. >> > The issue with this setup though is that I loose the information of the >> > pre_nat source IP address when monitoring at the WAN interfaces. Due to >> > this I am switching to uacctd as following: >> > >> > ! >> > daemonize: true >> > promisc: false >> > uacctd_group: 1 >> > !networks_file: networks.lst >> > !ports_file: ports.lst >> > ! >> > pre_tag_map: pretag2.map >> > pre_tag_filter[print_wan0_in]: 1 >> > pre_tag_filter[print_wan0_out]: 2 >> > pre_tag_filter[wan0_in]: 1 >> > pre_tag_filter[wan0_out]: 2 >> > ! >> > plugins: print[print_wan0_in], print[print_wan0_out], mysql[wan0_in], >> > mysql[wan0_out] >> > plugin_pipe_size[wan0_in]: 1024000 >> > plugin_pipe_size[wan0_out]: 1024000 >> > print_refresh_t
Re: [pmacct-discussion] Pmacct configuration with direction of traffic
Hi Alex, Thanks for your feedback. I see you did run "tcpdump -n -vv -i nflog:1" which is equivalent to run uacctd without any filters; as you may know, you can append a BPF-style filter to the tcpdump command-line, precisely as you express it in pre_tag_map. Can you give that a try and see if you get any luck? My expextation is: if something does not work with pre_tag_map, it should also not work with tcpdump; if you work out a filter to work against tcpdump, that should work in pre_tag_map as well. Any disconnect among the two may bring the scent of a bug. Paolo On Tue, Feb 25, 2020 at 11:20:21AM +0200, Alex K wrote: > Here is the output when running in debug mode: > > INFO ( default/core ): Linux NetFilter NFLOG Accounting Daemon, uacctd > (20200222-01) > INFO ( default/core ): '--prefix=/usr' '--enable-mysql' '--enable-nflog' > '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' > '--enable-bmp-bins' '--enable-st-bins' > INFO ( default/core ): Reading configuration file > '/root/pmacct/uacctd2.conf'. > INFO ( print_wan0_in/print ): plugin_pipe_size=4096000 bytes > plugin_buffer_size=280 bytes > INFO ( print_wan0_in/print ): ctrl channel: obtained=212992 bytes > target=117024 bytes > INFO ( print_wan0_out/print ): plugin_pipe_size=4096000 bytes > plugin_buffer_size=280 bytes > INFO ( print_wan0_out/print ): ctrl channel: obtained=212992 bytes > target=117024 bytes > INFO ( print_wan0_in/print ): cache entries=16411 base cache > memory=54878384 bytes > INFO ( default/core ): [pretag2.map] (re)loading map. > INFO ( print_wan0_out/print ): cache entries=16411 base cache > memory=54878384 bytes > INFO ( default/core ): [pretag2.map] map successfully (re)loaded. > INFO ( default/core ): [pretag2.map] (re)loading map. > INFO ( default/core ): [pretag2.map] map successfully (re)loaded. > INFO ( default/core ): [pretag2.map] (re)loading map. > INFO ( default/core ): [pretag2.map] map successfully (re)loaded. > INFO ( default/core ): Successfully connected Netlink NFLOG socket > > It doesn't seem to have any issues loading the maps, though it is not > collecting anything. When capturing with tcpdump I see packets going > through: > > tcpdump -n -vv -i nflog:1 > 09:16:05.831131 IP (tos 0x0, ttl 64, id 36511, offset 0, flags [DF], proto > ICMP (1), length 84) > 192.168.28.11 > 8.8.8.8: ICMP echo request, id 17353, seq 1, length 64 > 09:16:05.831362 IP (tos 0x0, ttl 49, id 0, offset 0, flags [none], proto > ICMP (1), length 84) > 8.8.8.8 > 192.168.28.11: ICMP echo reply, id 17353, seq 1, length 64 > 09:16:05.831392 IP (tos 0x0, ttl 64, id 36682, offset 0, flags [DF], proto > ICMP (1), length 84) > 192.168.28.11 > 8.8.8.8: ICMP echo request, id 17353, seq 2, length 64 > 09:16:06.855200 IP (tos 0x0, ttl 49, id 0, offset 0, flags [none], proto > ICMP (1), length 84) > 8.8.8.8 > 192.168.28.11: ICMP echo reply, id 17353, seq 2, length 64 > > The pmacct version I am running is latest master. > Thank you for your assistance. > > Alex > > > On Mon, Feb 24, 2020 at 6:20 PM Alex K wrote: > > > Hi Paolo, > > > > On Sat, Feb 22, 2020 at 4:18 PM Paolo Lucente wrote: > > > >> > >> Hi Alex, > >> > >> Is it possible with the new setup - the one where pre_tag_map does not > >> match anything - the traffic is VLAN-tagged (or MPLS-labelled)? If so, > >> you should adjust filters accordingly and add 'vlan and', ie. "vlan and > >> src net 192.168.28.0/24 or vlan and src net 192.168.100.0/24". > >> > > The traffic is not VLAN or MPLS. It is simple one. I confirm I can collect > > traffic when removing the pretag directives. Also when stopping uacctd, I > > can capture traffic at nflog:1 interface. > > I simplified the configuration as below: > > > > ! > > daemonize: true > > promisc: false > > uacctd_group: 1 > > ! > > pre_tag_map: pretag2.map > > pre_tag_filter[print_wan0_in]: 1 > > pre_tag_filter[print_wan0_out]: 2 > > ! > > !- > > plugins: print[print_wan0_in], print[print_wan0_out] > > print_refresh_time: 10 > > print_history: 15m > > print_output_file_append: true > > ! > > print_output[print_wan0_in]: csv > > print_output[print_wan0_out]: csv > > print_output_file[print_wan0_in]: traffic-wan0-in.csv > > print_output_file[print_wan0_out]: traffic-wan0-out.csv > > ! > > aggregate[print_wan0_in]: tag, src_host, dst_host, src_port, dst_port, > > proto > > aggregate[print_wan0_out]: tag, src_host, dst_host, src_port, dst_port, > > proto > > ! > > > > with pretag2.map > > set_tag=1 filter='src net 192.168.28.0/24' > > set_tag=2 filter='dst net 192.168.28.0/24' > > > > As soon as I enable the pretag directives as below, I do not see any > > traffic being collected from uacctd at NFLOG goup 1 > > > > pre_tag_map: pretag2.map > > pre_tag_filter[print_wan0_in]: 1 > > pre_tag_filter[print_wan0_out]: 2 > > > > I am running pmacct 1.7.4. > > > > > >> Paolo > >> > >> On Fri, Feb 21, 2020 at 01:04:25PM +0200, Alex K wrote: > >> > Working further on this, i
