Re: [pmacct-discussion] pmacct-discussion Digest, Vol 179, Issue 2
Many thanks Paolo that works very well :-) On Tue, Jun 9, 2020 at 1:00 PM wrote: > Send pmacct-discussion mailing list submissions to > pmacct-discussion@pmacct.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.pmacct.net/mailman/listinfo/pmacct-discussion > or, via email, send a message with subject or body 'help' to > pmacct-discussion-requ...@pmacct.net > > You can reach the person managing the list at > pmacct-discussion-ow...@pmacct.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of pmacct-discussion digest..." > Today's Topics: > >1. Re: networks_file reload (Paolo Lucente) > > > > -- Forwarded message -- > From: Paolo Lucente > To: pmacct-discussion@pmacct.net > Cc: > Bcc: > Date: Mon, 8 Jun 2020 15:56:55 + > Subject: Re: [pmacct-discussion] networks_file reload > > Hi Olaf, > > To confirm that the file is reloaded. Unfortunately all log messages in > loading up a networks_file are related to errors, warnings and debug. No > info message to say that simply all went good. So i just added one as an > action item for the issue you raised: > > > https://github.com/pmacct/pmacct/commit/5f4c424f86d20821b4c028d9d180aa506f76 > > Now you can see the file is loaded upon startup and also upon sending a > SIGUSR2 to the process(es). Thank you! > > Paolo > > On Fri, Jun 05, 2020 at 11:16:19AM +0100, Olaf de Bree wrote: > > Hi all, > > > > hoping someone can help. > > > > I am using networks_file to map ASNs to prefixes under nfacctd version > 1.7.5 > > > > The pmacct documentation suggests under the maps_refresh directive that > > the networks_file is reloadable via -SIGUSR2 but when I issue a "pkill > > -SIGUSR2 nfacctd" while running debug I see evidence that pre_tag_map is > > reloaded in the logs but not the networks_file. > > > > Is the networks_file silently reloaded with no log? or could this be a > bug? > > > > Thanks in advance > > Olaf > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] networks_file reload
Hi all, hoping someone can help. I am using networks_file to map ASNs to prefixes under nfacctd version 1.7.5 The pmacct documentation suggests under the maps_refresh directive that the networks_file is reloadable via -SIGUSR2 but when I issue a "pkill -SIGUSR2 nfacctd" while running debug I see evidence that pre_tag_map is reloaded in the logs but not the networks_file. Is the networks_file silently reloaded with no log? or could this be a bug? Thanks in advance Olaf ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] AMQP Compile issue
Hi Paolo,
I am sorry.
1. I miss spelled your name on the previous email
2. I posted this question a little prematureley.
it seems the compile error was caused by rabbitmq-c 0.6.0 using version
0.5.2 compiles fine.
Thanks
Olaf
On Fri, Mar 27, 2015 at 3:47 PM, Olaf de Bree wrote:
> Hi Palo,
>
> Hope you are doing well.
>
> I am have a little bit of an issue with the AMQP plugging when compiling
> on Centos 6.6.
>
> I using the following
>
> pmacct 1.51
> rabbitmq server 3.5.0
> jansson 2.7
> rabbitmq-c 0.6.0
>
> Configure seem to pass OK
>
> [root@lnflow01 pmacct-1.5.1]# ./configure --enable-mysql
> --enable-rabbitmq --with-rabbitmq-libs=/usr/local/lib/
> --with-rabbitmq-includes=/usr/local/include/ --enable-jansson
>
> loading cache ./config.cache
>
> checking for a BSD compatible install... (cached) /usr/bin/install -c
>
> checking whether build environment is sane... yes
>
> checking whether make sets ${MAKE}... (cached) yes
>
> checking for working aclocal-1.4... missing
>
> checking for working autoconf... found
>
> checking for working automake-1.4... missing
>
> checking for working autoheader... found
>
> checking for working makeinfo... missing
>
> checking for gcc... (cached) gcc
>
> checking whether the C compiler (gcc ) works... yes
>
> checking whether the C compiler (gcc ) is a cross-compiler... no
>
> checking whether we are using GNU C... (cached) yes
>
> checking whether gcc accepts -g... (cached) yes
>
> checking OS... Linux
>
> checking hardware... x86_64
>
> checking for ranlib... (cached) ranlib
>
> checking whether to enable debugging compiler options... no
>
> checking whether to relax compiler optimizations... no
>
> checking whether to disable linking against shared objects... no
>
> checking for dlopen... (cached) no
>
> checking for dlopen in -ldl... (cached) yes
>
> checking for gmake... (cached) gmake
>
> checking whether gmake sets ${MAKE}... (cached) yes
>
> checking for __progname... yes
>
> checking for extra flags needed to export symbols... --export-dynamic
>
> checking for static inline... yes
>
> checking endianess... little
>
> checking unaligned accesses... ok
>
> checking whether to enable L2 features... yes
>
> checking whether to enable IPv6 code... no
>
> checking whether to enable IP prefix labels... checking default locations
> for pcap.h... found in /usr/include
>
> checking default locations for libpcap... no
>
> checking for pcap_dispatch in -lpcap... (cached) yes
>
> checking for pcap_setnonblock in -lpcap... (cached) yes
>
> checking packet capture type... linux
>
> checking whether to enable MySQL support... checking how to run the C
> preprocessor... (cached) gcc -E
>
> yes
>
> checking default locations for libmysqlclient... found in /usr/lib64/mysql
>
> checking for main in -lstdc++... (cached) yes
>
> checking for clock_gettime in -lrt... (cached) yes
>
> checking default locations for mysql.h... found in /usr/include/mysql
>
> checking whether to enable PostgreSQL support... no
>
> checking whether to enable MongoDB support... no
>
> checking whether to enable SQLite3 support... no
>
> checking whether to enable RabbitMQ/AMQP support... yes
>
> checking your own RabbitMQ library... ok
>
> checking your own RabbitMQ headers... ok
>
> checking whether to enable GeoIP support... no
>
> checking whether to enable Jansson support... yes
>
> checking default locations for Jansson library... found in /usr/local/lib
>
> checking default locations for jansson.h... found in /usr/local/include
>
> checking for ANSI C header files... (cached) yes
>
> checking for sys/wait.h that is POSIX.1 compatible... (cached) yes
>
> checking for getopt.h... (cached) yes
>
> checking for sys/select.h... (cached) yes
>
> checking for sys/time.h... (cached) yes
>
> checking for u_int64_t in sys/types.h... yes
>
> checking for u_int32_t in sys/types.h... yes
>
> checking for u_int16_t in sys/types.h... yes
>
> checking for u_int8_t in sys/types.h... yes
>
> checking for uint64_t in sys/types.h... no
>
> checking for uint32_t in sys/types.h... no
>
> checking for uint16_t in sys/types.h... no
>
> checking for uint8_t in sys/types.h... no
>
> checking whether to enable 64bit counters... yes
>
> checking whether to enable multithreading in pmacct... yes
>
> checking whether to enable ULOG support... no
>
> checking return type of signal handlers... (cached) void
>
> checking for strlcpy... (cached) no
>
> checking for vsnprintf... (cached) yes
>
> checking for setproctitle
[pmacct-discussion] AMQP Compile issue
Hi Palo,
Hope you are doing well.
I am have a little bit of an issue with the AMQP plugging when compiling on
Centos 6.6.
I using the following
pmacct 1.51
rabbitmq server 3.5.0
jansson 2.7
rabbitmq-c 0.6.0
Configure seem to pass OK
[root@lnflow01 pmacct-1.5.1]# ./configure --enable-mysql --enable-rabbitmq
--with-rabbitmq-libs=/usr/local/lib/
--with-rabbitmq-includes=/usr/local/include/ --enable-jansson
loading cache ./config.cache
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking whether build environment is sane... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal-1.4... missing
checking for working autoconf... found
checking for working automake-1.4... missing
checking for working autoheader... found
checking for working makeinfo... missing
checking for gcc... (cached) gcc
checking whether the C compiler (gcc ) works... yes
checking whether the C compiler (gcc ) is a cross-compiler... no
checking whether we are using GNU C... (cached) yes
checking whether gcc accepts -g... (cached) yes
checking OS... Linux
checking hardware... x86_64
checking for ranlib... (cached) ranlib
checking whether to enable debugging compiler options... no
checking whether to relax compiler optimizations... no
checking whether to disable linking against shared objects... no
checking for dlopen... (cached) no
checking for dlopen in -ldl... (cached) yes
checking for gmake... (cached) gmake
checking whether gmake sets ${MAKE}... (cached) yes
checking for __progname... yes
checking for extra flags needed to export symbols... --export-dynamic
checking for static inline... yes
checking endianess... little
checking unaligned accesses... ok
checking whether to enable L2 features... yes
checking whether to enable IPv6 code... no
checking whether to enable IP prefix labels... checking default locations
for pcap.h... found in /usr/include
checking default locations for libpcap... no
checking for pcap_dispatch in -lpcap... (cached) yes
checking for pcap_setnonblock in -lpcap... (cached) yes
checking packet capture type... linux
checking whether to enable MySQL support... checking how to run the C
preprocessor... (cached) gcc -E
yes
checking default locations for libmysqlclient... found in /usr/lib64/mysql
checking for main in -lstdc++... (cached) yes
checking for clock_gettime in -lrt... (cached) yes
checking default locations for mysql.h... found in /usr/include/mysql
checking whether to enable PostgreSQL support... no
checking whether to enable MongoDB support... no
checking whether to enable SQLite3 support... no
checking whether to enable RabbitMQ/AMQP support... yes
checking your own RabbitMQ library... ok
checking your own RabbitMQ headers... ok
checking whether to enable GeoIP support... no
checking whether to enable Jansson support... yes
checking default locations for Jansson library... found in /usr/local/lib
checking default locations for jansson.h... found in /usr/local/include
checking for ANSI C header files... (cached) yes
checking for sys/wait.h that is POSIX.1 compatible... (cached) yes
checking for getopt.h... (cached) yes
checking for sys/select.h... (cached) yes
checking for sys/time.h... (cached) yes
checking for u_int64_t in sys/types.h... yes
checking for u_int32_t in sys/types.h... yes
checking for u_int16_t in sys/types.h... yes
checking for u_int8_t in sys/types.h... yes
checking for uint64_t in sys/types.h... no
checking for uint32_t in sys/types.h... no
checking for uint16_t in sys/types.h... no
checking for uint8_t in sys/types.h... no
checking whether to enable 64bit counters... yes
checking whether to enable multithreading in pmacct... yes
checking whether to enable ULOG support... no
checking return type of signal handlers... (cached) void
checking for strlcpy... (cached) no
checking for vsnprintf... (cached) yes
checking for setproctitle... (cached) no
checking for mallopt... (cached) yes
PLATFORM . : x86_64
OS ... : Linux 2.6.32-504.12.2.el6.x86_64 (lnflow01.shynet.local)
COMPILER . : gcc
CFLAGS ... : -O2 -g -O2 -I/usr/local/include -I/usr/local/include
LIBS . : -lpcap -ldl -L/usr/lib64/mysql -lmysqlclient -lstdc++
-lrt -L/usr/local/lib -lrabbitmq -L/usr/local/lib -ljansson -lm -lz
-lpthread
SERVER_LIBS ...: -lnfprobe_plugin -Lnfprobe_plugin/ -lsfprobe_plugin
-Lsfprobe_plugin/ -lbgp -Lbgp/ -ltee_plugin -Ltee_plugin/ -lisis -Lisis/
-lbmp -Lbmp/
LDFLAGS .. : -Wl,--export-dynamic
Now type 'make' to compile the source code.
Are you willing to get in touch with other pmacct users?
Join the pmacct mailing-list by sending a message to
pmacct-discussion-subscr...@pmacct.net
Need for documentation and examples?
Read the README file or go to http://wiki.pmacct.net/
creating ./config.status
creating Makefile
creating src/Makefile
creating src/nfprobe_plugin/Makefile
creating src/sfprobe_plugin/Makefile
creating src/bgp/
Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
Thanks for your help Paolo, Using your suggested config i'm begining to get out put that would work for me (see below). I am however not seeing the NBAR application ID being poputated in the class field is, I have double checked the incoming netflow data with wireshark to make sure that the application ID is actually being exported and it all looks OK is there some extra configuration i need to perform to achive this? Many thanks Olaf # pmacct -s CLASS SRC_IP PACKETS BYTES unknown 10.1.0.204 303 unknown 10.1.0.7 2 473 unknown 0.0.0.0 52140 36474168 unknown 10.1.0.3 40341 35254306 unknown 10.1.0.233 234 ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
sorry this should have gone to the list not direct Hi Paolo, Thanks for the swift reply!! At the monment I'm really just doing some proof of concept testing using a 7200 IOS 15.1 on a Dynamips hypervisor but if all works according to plan I would look at putting into production using a Cisco ASR1000. I have nfacctd up and running and it is receiving flows from my test router. when doing a debug i can see #95 field arrive in the net flow template (see debug below) My nfacctd.conf file is below What i really not sure of is how to filter or report on the #95 (Application ID) field on incoming flows and also store in a DB For example: I would like to account bidirectional traffic for subscriber IP address 192.168.0.1 where NBAR protocol ID is equal to 85 (youtube) You help is greatly apreaciated Many thanks Olaf nfacctd.conf [root@OpenDPI ~]# cat nfacct.conf ! ! nfacctd configuration example ! ! Did you know CONFIG-KEYS contains the detailed list of all configuration keys ! supported by 'nfacctd' and 'pmacctd' ? ! ! aggregate_filter[dummy]: src net 192.168.0.0/16 aggregate: src_host, dst_host, src_port, dst_port, proto plugins: memory ! plugin_buffer_size: 1024 nfacctd_port: 9996 nfacctd_time_secs: true nfacctd_time_new: true nfacctd degug output: DEBUG ( default/core ): NfV9 agent : 192.168.1.230:0 DEBUG ( default/core ): NfV9 template type : flow DEBUG ( default/core ): NfV9 template ID : 259 DEBUG ( default/core ): DEBUG ( default/core ): | field type | offset | size | DEBUG ( default/core ): | IPv4 src addr | 0 | 4 | DEBUG ( default/core ): | IPv4 dst addr | 4 | 4 | DEBUG ( default/core ): | 95 | 8 | 4 | DEBUG ( default/core ): | input snmp | 12 | 4 | DEBUG ( default/core ): | L4 src port| 16 | 2 | DEBUG ( default/core ): | L4 dst port| 18 | 2 | DEBUG ( default/core ): | tos| 20 | 1 | DEBUG ( default/core ): | L4 protocol| 21 | 1 | DEBUG ( default/core ): | IPv4 src mask | 22 | 1 | DEBUG ( default/core ): | IPv4 dst mask | 23 | 1 | DEBUG ( default/core ): | tcp flags | 24 | 1 | DEBUG ( default/core ): | direction | 25 | 1 | DEBUG ( default/core ): | 195| 26 | 1 | DEBUG ( default/core ): | in src mac | 27 | 6 | DEBUG ( default/core ): | dst as | 33 | 2 | DEBUG ( default/core ): | 182| 35 | 2 | DEBUG ( default/core ): | 183| 37 | 2 | DEBUG ( default/core ): | 180| 39 | 2 | DEBUG ( default/core ): | 181| 41 | 2 | DEBUG ( default/core ): | IPv4 next hop | 43 | 4 | DEBUG ( default/core ): | 44 | 47 | 4 | DEBUG ( default/core ): | sampler ID | 51 | 4 | DEBUG ( default/core ): | in bytes | 55 | 4 | DEBUG ( default/core ): | in packets | 59 | 4 | DEBUG ( default/core ): | first switched | 63 | 4 | DEBUG ( default/core ): | last switched | 67 | 4 | DEBUG ( default/core ): | output snmp| 71 | 4 | DEBUG ( default/core ): | 54 | 75 | 4 | DEBUG ( default/core ): DEBUG ( default/core ): Netflow V9/IPFIX record size : 79 DEBUG ( default/core ): Cisco 7200 FNF Config flow record nbar-monitor description "Netflow NBAR monitor" match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match application name collect datalink mac source address input collect routing destination as collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 id collect ipv4 source prefix collect ipv4 source mask collect ipv4 destination mask collect transport tcp source-port collect transport tcp destination-port collect transport tcp flags collect transport udp source-port collect transport udp destination-port collect interface output collect flow direction collect flow sampler collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! ! flow exporter export-to-plixer description "Export to Plixer Scrutiniser" destination 192.168.1.21 vrf IPS transport udp 9996 template data timeout 60 option interface-table option exporter-stats ! ! flow monitor customer-mon record nbar-monitor exporter export-to-plixer cache timeout active 60 ! ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
Hi all, I very new to pmacct, just came across it today acually when looking for a way to account application traffic for subscribers in our network. basically i'm looking to account traffic moving to an from a subsriber based on a Flexible netflow NBAR application ID. for example the output may be as such Subscriber IPNBAR APP IDSum Flows Sum Bytes x.x.x.x x x x According to the Pmacct documentation it supports the NBAR application ID field but i'm really not sure how account on it. any help would be very much apreaciated Cheers Olaf ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
