Hi Alex,
Is it possible with the new setup - the one where pre_tag_map does not match anything - the traffic is VLAN-tagged (or MPLS-labelled)? If so, you should adjust filters accordingly and add 'vlan and', ie. "vlan and src net 192.168.28.0/24 or vlan and src net 192.168.100.0/24". Paolo On Fri, Feb 21, 2020 at 01:04:25PM +0200, Alex K wrote: > Working further on this, it seems that for pmacct is sufficient to filter > traffic using only the pre_tag_filter, thus no need for the aggregation > filters. > The issue with this setup though is that I loose the information of the > pre_nat source IP address when monitoring at the WAN interfaces. Due to > this I am switching to uacctd as following: > > ! > daemonize: true > promisc: false > uacctd_group: 1 > !networks_file: networks.lst > !ports_file: ports.lst > ! > pre_tag_map: pretag2.map > pre_tag_filter[print_wan0_in]: 1 > pre_tag_filter[print_wan0_out]: 2 > pre_tag_filter[wan0_in]: 1 > pre_tag_filter[wan0_out]: 2 > ! > plugins: print[print_wan0_in], print[print_wan0_out], mysql[wan0_in], > mysql[wan0_out] > plugin_pipe_size[wan0_in]: 1024000 > plugin_pipe_size[wan0_out]: 1024000 > print_refresh_time: 10 > print_history: 15m > print_output_file_append: true > ! > print_output[print_wan0_in]: csv > print_output_file[print_wan0_in]: in_traffic.csv > print_output[print_wan0_out]: csv > print_output_file[print_wan0_out]: out_traffic.csv > ! > aggregate[print_wan0_in]: dst_host, src_port, dst_port, proto > aggregate[print_wan0_out]: src_host, src_port, dst_port, proto > ! > sql_table[wan0_in]: traffic_wan0_in_%Y%m%d_%H%M > sql_table[wan0_out]: traffic_wan0_out_%Y%m%d_%H%M > ! > sql_table_schema[wan0_in]: traffic_wan0_in.schema > sql_table_schema[wan0_out]: traffic_wan0_out.schema > ! > sql_host: localhost > sql_db : uacct > sql_user : uacct > sql_passwd: uacct > sql_refresh_time: 30 > sql_optimize_clauses: true > sql_history : 24h > sql_history_roundoff: mhd > ! > aggregate[wan0_in]: dst_host, src_port, dst_port, proto > aggregate[wan0_out]: src_host, src_port, dst_port, proto > > Where pretag2.map: > set_tag=1 filter='src net 192.168.28.0/24 or src net 192.168.100.0/24' > set_tag=2 filter='dst net 192.168.28.0/24 or dst net 192.168.100.0/24' > > The issue I have with the above config is that no traffic is being > collected at all. I confirm that when removing the pre_tag filters, traffic > is collected, though it is not sorted per direction as I would like to > have. > Can I use pre_tag_map and pre_tag_filter with uacctd? I don't see any > examples for uacctd at > https://github.com/pmacct/pmacct/blob/master/examples/pretag.map.example. > > Thanx, > Alex > > On Thu, Feb 20, 2020 at 6:33 PM Alex K <rightkickt...@gmail.com> wrote: > > > Hi all, > > > > I have a router with multiple interfaces and will need to account traffic > > at its several WAN interfaces. My purpose is toaccount the traffic with the > > tuple details and the direction. > > > > As a test I have compiled the following simple configuration for pmacctd: > > > > ! > > daemonize: true > > plugins: print[wan0_in], print[wan0_out] > > print_refresh_time: 10 > > print_history: 15m > > ! > > print_output[wan0_in]: csv > > print_output_file[wan0_in]: in_traffic.csv > > print_output[wan0_out]: csv > > print_output_file[wan0_out]: out_traffic.csv > > ! > > aggregate[wan0_in]: src_host, dst_host, src_port, dst_port, tag > > aggregate[wan0_out]: src_host, dst_host, src_port, dst_port, tag > > ! > > pre_tag_filter[wan0_in]:1 > > pre_tag_filter[wan0_out]:2 > > ! > > pcap_interface: eth0 > > pre_tag_map: pretag.map > > networks_file: networks.lst > > ports_file: ports.lst > > ! > > > > where pretag.map is: > > set_tag=1 filter='ether dst 52:54:00:69:a6:0b' > > set_tag=2 filter='ether src 52:54:00:69:a6:0b' > > > > and networks.lst is: > > 10.100.100.0/24 > > > > It seems that the details output at the CSV are correctly filtered > > according to the tag, thus recording the direction also, based on the MAC > > address of the WAN0 interface. > > > > Is this the correct approach to achieve this or is there any other > > recommended way? Do I need to use aggregate_filters? > > > > Also, although I have set a network filter to capture only 10.100.100.0/24, > > I observe several networks in/out being collected, indicating that the > > network_file directive is ignored or I have misunderstood its purpose. My > > purpose it to collect traffic only generated from subnets that belong to > > configured interfaces of the router. > > > > Thanx for your feedback! > > Alex > > > > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
