Re: [pmacct-discussion] fswstatus

2017-09-26 Thread Fabien VINCENT 
Le 2017-09-25 14:33, Paolo Lucente a écrit :

> Hi Fabien,
> 
> I support Emil's comment, just tried myself (same build, same compile
> options as yours) and i don't get the 'unknown key' message back. On
> your other question, when 1.7.0 will be out: later today the code in
> GitHub master will be switched to 1.7.1 and 1.7.0 will be branched out
> (freeed). I then expect 1.7.0 bo the released in a couple of weeks from
> today, if no major issue is hit meanwhile.
> 
> Paolo
> 
> On Mon, Sep 25, 2017 at 10:45:38AM +0100, Emil wrote: Hello Fabien.
> 
> I wrote the patch for fwdstatus;
> my config looks like this:
> 
> ! Only tag denys with 10
> set_tag2=10 fwdstatus=129
> set_tag2=20 fwdstatus=64
> 
> And it works. Can you check your source code and look for
> "PT_map_fwdstatus_handler"
> in src/pretag_handlers.c If that is present it _should_ work.
> 
> Best Regards.
> 
> 2017-09-25 8:22 GMT+01:00 Fabien VINCENT :
> 
> Le 2017-09-25 03:41, Paolo Lucente a écrit :
> 
> Hi Fabien,
> 
> What version are you running? You can confirm this with a 'nfacctd -V';
> the feature was added in 1.7.0 (that is, master code on GitHub). I can
> also confirm you, on your original question, that an atoi() is performed
> on the input value - so you should express values in decimal.
> 
> Paolo
> 
> On Sun, Sep 24, 2017 at 10:28:22PM +0200, Fabien VINCENT wrote:
> 
> Le 2017-09-22 15:23, Fabien VINCENT a écrit :
> 
> Hi,
> 
> I'm looking for some examples around fwdstatus on pretag
> 
> _'fwdstatus' MATCH: In NFv9/IPFIX this is compared against IE #89; see
> https://www.iana.org/assignments/ipfix/ipfix.xhtml for the specific
> semantics of the field and some examples._
> 
> How to use it ? I was looking to do king of pretag like
> 
> set_tag=0 fwdstatus=00b
> 
> set_tag=1 fwdstatus=01b
> 
> set_tag=2 fwdstatus=10b
> 
> Is it the way of dealing with this parameter ?
> 
> --
> 
> FABIEN VINCENT
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
> 
> Is the option available ?
> Sep 24 22:30:13 INFO ( default/core ): Trying to (re)load map:
> /etc/pmacct/nfacctd.pretag.map
> Sep 24 22:30:13 ERROR ( default/core ): unknown key 'fwdstatus' at line
> 1 in map '/etc/pmacct/nfacctd.pretag.map'. Ignored.
> Sep 24 22:30:13 ERROR ( default/core ): unknown key 'fwdstatus' at line
> 2 in map '/etc/pmacct/nfacctd.pretag.map'. Ignored.
> 
> [22:30 root@netflows pmacct-master] > cat /etc/pmacct/nfacctd.pretag.map
> set_tag=1 fwdstatus=65
> set_tag=2 fwdstatus=138
> 
> --
> 
> FABIEN VINCENT
> ---
> 
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
> 
> I'm running the git master version (I tried)
> 
> [15:36 root@netflows opt] > /usr/local/sbin/nfacctd -V
> NetFlow Accounting Daemon, nfacctd 1.7.0-git (20170924-00)
> 
> Arguments:
> '--build=x86_64-linux-gnu' '--prefix=/usr/local' 
> '--includedir=${prefix}/include'
> '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info'
> '--sysconfdir=/etc' '--localstatedir=/var' 
> '--libdir=/usr/lib/x86_64-linux-gnu'
> '--libexecdir=${prefix}/lib/x86_64-linux-gnu' '--disable-maintainer-mode'
> '--disable-dependency-tracking' '--enable-mmap' '--enable-pgsql'
> '--with-pgsql-includes=/usr/include/postgresql' '--enable-mysql'
> '--enable-sqlite3' '--enable-ipv6' '--enable-v4-mapped' '--enable-64bit'
> '--enable-threads' '--enable-jansson' '--enable-geoip' '--enable-ulog'
> 'build_alias=x86_64-linux-gnu' '--enable-l2' '--enable-traffic-bins'
> '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'
> 
> Libs:
> libpcap version 1.6.2
> MySQL 5.5.57
> PostgreSQL 90413
> sqlite3 3.8.7.1
> jansson 2.7
> 
> System:
> Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64
> 
> For suggestions, critics, bugs, contact me: Paolo Lucente <
> pa...@pmacct.net>.
> 
> But seems option not catched, I've always the log
> 
> unknown key 'fwdstatus' at line
> 1 in map '/etc/pmacct/nfacctd.pretag.map'. Ignored.
> 
> [09:23 root@netflows opt] > cat /etc/pmacct/nfacctd.pretag.map
> set_tag=1 fwdstatus=65
> set_tag=2 fwdstatus=138
> 
> Any ETA for v1.7.0 out ?
> 
> Thanks for your help.
> 
> --
> *Fabien VINCENT*
> ---
> 
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

Hey, 

In fact, it works, I found a bug in my systemd/sysinit scripts so daemon
was not launched with the right package. 

I fixed the daemon to start, on bash directly and it works ! Thanks for
the patch, now looking why I have strange 60/62 decimal values on some
exports. 

Thanks Emil for the patch and Paolo for the

Re: [pmacct-discussion] Wrong timestamp for netflow streams in sql history

2017-09-26 Thread Paolo Lucente 

Hi Eythor,

Your config looks simple and correct. I would have told you to check
time on the box where you are running pmacct but you confirmed all is
good there so i'm not sure. I'm willing to take a look myself; if that
is an option please follow-up by unicast email. As a workaround i can
sugest to use 'nfacctd_time_new: true' so to use flow arrival time at
the collector as reference for time-binning.  

Paolo

On Mon, Sep 25, 2017 at 05:19:08PM +, Eyþór Ívarsson wrote:
> Hi,
> 
> I'm trying to figure out an issue with the aggregation for sql_history
> methods for Netflow.
> For some reason I run into issues with the stamp_inserted value being way
> off and wrong.
> 
> According to my flow the following raw Netflow stream gets a weird
> timestamp inserted into the sql.
> 
> The raw flow in nfdump:
> Flow Record:
>   Flags=  0x06 FLOW, Unsampled
>   export sysid = 1
>   size =60
>   first=1506114959 [2017-09-22 21:15:59]
>   last =1506115055 [2017-09-22 21:17:35]
>   msec_first   =   831
>   msec_last=   236
>   src addr = 192.168.1.143
>   dst addr = 192.168.1.255
>   src port =   138
>   dst port =   138
>   fwd status   = 0
>   tcp flags=  0x00 ..
>   proto=17 UDP
>   (src)tos = 0
>   (in)packets  = 2
>   (in)bytes=   465
>   input= 2
>   output   = 0
> 
> This gets inserted into sql with this command:
> DEBUG ( in/mysql ): INSERT INTO `acct_in` (stamp_updated, stamp_inserted,
> ip_dst, src_port, dst_port, ip_proto, mac_src, mac_dst, ip_src, packets,
> bytes) VALUES (FROM_UNIXTIME(1506160141), FROM_UNIXTIME(1501819200),
> '192.168.1.255', 0, 0, 'ip', '0:0:0:0:0:0', '0:0:0:0:0:0', '0.0.0.0', 2,
> 465)
> 
> So the flow has the flow start value timestamp: 1506114959 (
> 2017-09-22T21:15:59+00:00 in ISO 8601)
> But sql insert has been rounded off to 1501819200 (
> 2017-08-04T04:00:00+00:00 in ISO 8601)
> 
> The config I'm running is:
> daemonize: false
> nfacctd_port: 5678
> aggregate[in]: dst_host
> aggregate_filter[in]: dst net 192.168.0.0/16
> print_refresh_time: 30
> plugins: mysql[in]
> sql_db: pmacct
> sql_host: 127.0.0.1
> sql_table[in]: acct_in
> sql_table_version: 1
> sql_passwd: xxx
> sql_user: pmacct
> sql_refresh_time: 5
> sql_history: 1h
> sql_history_roundoff: h
> 
> The time is correct on all machines involved.
> 
> The version I'm running: NetFlow Accounting Daemon, nfacctd 1.6.2-git
> (20170401-00+c1)
> Built with only mysql enabled.
> 
> Any suggestions on what I could be doing wrong is appreciated :)
> 
> -- 
> 
> Regards,
> eyth...@omg.is

> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists