Re: [pmacct-discussion] icmp6 netflow 9 not including type & code sometimes
More information: pmacctd -V Promiscuous Mode Accounting Daemon, pmacctd 1.7.9-git [RELEASE] Arguments: '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' Libs: cdada 0.4.0 libpcap version 1.10.1 (with TPACKET_V3) Plugins: memory print nfprobe sfprobe tee System: Linux 5.19.9-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Sep 15 09:49:52 UTC 2022 x86_64 Compiler: gcc 12.2.1 === Config file (sending netflow to IPv6 loopback interface for capture with nfcapd): ! daemonize: true ! pcap_interface: eth0 aggregate: src_host, dst_host, src_port, dst_port, proto, tcpflags, tos plugins: nfprobe nfprobe_receiver: [::1]:9995 nfprobe_version: 9 = Still, the netflow captured with the config above doesn't have the icmp6 type and code values set correctly, but are always zeros. On 9/25/2022 10:21 PM, fireballiso wrote: Hi! I use pmacctd to generate netflow 9 for two interfaces on a physical (not virtual) Linux machine. The flows from one interface shows icmp and icmp6 protocols with the type and code as expected in the dst_port, and the other interface only shows icmp type and code correctly; the icmp6 type and code are always 0, regardless of the true values. Another machine (a VMWare virtual machine, running on ESXi 7) generates netflow 9 for an interface that only has IPv6 addresses; this also shows the icmp6 type and code as always 0. The interfaces on both machines have identical pmacctd configurations (except for the interface names), and the pmacctd versions are identical (cloned from github). What would cause the icmp6 type and code to not be set correctly for two interfaces, but correctly for another one? -Indy -- -Indy fireball...@yahoo.com ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] icmp6 netflow 9 not including type & code sometimes
Hi! I use pmacctd to generate netflow 9 for two interfaces on a physical (not virtual) Linux machine. The flows from one interface shows icmp and icmp6 protocols with the type and code as expected in the dst_port, and the other interface only shows icmp type and code correctly; the icmp6 type and code are always 0, regardless of the true values. Another machine (a VMWare virtual machine, running on ESXi 7) generates netflow 9 for an interface that only has IPv6 addresses; this also shows the icmp6 type and code as always 0. The interfaces on both machines have identical pmacctd configurations (except for the interface names), and the pmacctd versions are identical (cloned from github). What would cause the icmp6 type and code to not be set correctly for two interfaces, but correctly for another one? -Indy -- -Indy fireball...@yahoo.com ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] How to record ICMP and ICMP6 types/codes by pmacctd?
Hi Paolo, Sorry, I should have said I was replacing the netflow *generators*, not collectors. My mistake! Yes, I posted the config that generates the netflow 9 flows, since I hoped to see if it was missing something for including the ICMP and ICMP6 types/codes. -Indy On 4/13/2020 8:59 AM, Paolo Lucente wrote: Hi, Let me confirm that collecting the ICMP type is partially supported; the native dst_port primitive is locked to UDP and TCP only - making this not suitable for NetFlow v5 kind of scenarios; but if using NetFlow v9 and/or IPFIX you could define your own custom primitive via the aggregate_primitives infrastructure, see also an example here: https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example By the way: you speak collecting NetFlow but your config example is actually about the 'nfprobe' plugin, that is, generating NetFlow out of raw traffic. Is that what you are after? Paolo On Sun, Apr 12, 2020 at 04:20:08PM -0400, fireballiso wrote: Hi! I've started using pmacctd to replace old netflow collectors for my main and test networks, which run both IPv6 and IPv4. It works very well, except that I haven't yet found a way to record the ICMP and ICMP6 types and codes. In other collectors, these are often stored in the destination port (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the type and B is the code. For example, "3.1" would represent ICMP type 3 (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP and ICMP6 flows, but unfortunately, the destination port is always set to "0.0", as if nothing is being recorded there. A simple config: daemonize: true ! interface: net1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos plugins: nfprobe nfprobe_receiver: 192.168.14.2:9997 nfprobe_version: 9 I haven't found documentation or examples that show how to enable recording the types and codes, and no relevant primitives to add to the aggregate statement. Would someone be able to tell me how to do this? Thank you! -Indy ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists -- -Indy fireball...@yahoo.com ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] How to record ICMP and ICMP6 types/codes by pmacctd?
Hi! I've started using pmacctd to replace old netflow collectors for my main and test networks, which run both IPv6 and IPv4. It works very well, except that I haven't yet found a way to record the ICMP and ICMP6 types and codes. In other collectors, these are often stored in the destination port (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the type and B is the code. For example, "3.1" would represent ICMP type 3 (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP and ICMP6 flows, but unfortunately, the destination port is always set to "0.0", as if nothing is being recorded there. A simple config: daemonize: true ! interface: net1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos plugins: nfprobe nfprobe_receiver: 192.168.14.2:9997 nfprobe_version: 9 I haven't found documentation or examples that show how to enable recording the types and codes, and no relevant primitives to add to the aggregate statement. Would someone be able to tell me how to do this? Thank you! -Indy ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists