Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1
Hi Paolo, Adding nfprobe_direction worked. Thanks again, Steve On 07/19/2015 04:23 AM, Paolo Lucente wrote: Hi Steve, Inline: On Fri, Jul 17, 2015 at 07:36:31AM -0400, Steve Clark wrote: Am I not able to simply put something like: interface: p4p1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, out_iface plugins: nfprobe[p4p1] nfprobe_receiver: 10.0.129.71:2055 nfprobe_version: 9 nfprobe_ifindex[p4p1]: 4 in my config file? Yes, just set nfprobe_direction to 'in' or 'out' and you should start seeing interfaces populated. I'm afraid without something dynamic based on a map you may hit a conceptual issue since you should be capturing both directions of traffic. I tried to use a pre-tag filter like nfprobe_ifindex[p4p1]: tag pre_tag_map: ./my.pretag.map then edited my.pretag.map as follows: set_tag=4 filter='net 0.0.0.0/0' Again, nfprobe_direction is missing. nfprobe_ifindex is in addition to nfprobe_direction but i reckon the documentation in QUICKSTART may be confusing and definitiely it misses an example where all the pieces are put together (will fix this asap). So imagine you have prefix X.X.X.X connected on interface 10 and Y.Y.Y.Y connected on interface 20, this should be the config: nfprobe_direction: tag nfprobe_ifindex: tag2 pre_tag_map: /path/to/pretag.map Then in pretag.map: set_tag=1 filter='src net X.X.X.X' jeq=eval_ifindex set_tag=2 filter='dst net X.X.X.X' jeq=eval_ifindex set_tag=1 filter='src net Y.Y.Y.Y' jeq=eval_ifindex set_tag=2 filter='dst net Y.Y.Y.Y' jeq=eval_ifindex set_tag=999 filter='net 0.0.0.0/0' set_tag2=10 filter='src net X.X.X.X' label=eval_ifindex set_tag2=10 filter='dst net X.X.X.X' set_tag2=20 filter='src net Y.Y.Y.Y' set_tag2=20 filter='dst net Y.Y.Y.Y' Cheers, Paolo -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1
Hi Steve, Inline: On Fri, Jul 17, 2015 at 07:36:31AM -0400, Steve Clark wrote: > Am I not able to simply put something like: > > interface: p4p1 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, > out_iface > plugins: nfprobe[p4p1] > nfprobe_receiver: 10.0.129.71:2055 > nfprobe_version: 9 > nfprobe_ifindex[p4p1]: 4 > > in my config file? Yes, just set nfprobe_direction to 'in' or 'out' and you should start seeing interfaces populated. I'm afraid without something dynamic based on a map you may hit a conceptual issue since you should be capturing both directions of traffic. > I tried to use a pre-tag filter like > nfprobe_ifindex[p4p1]: tag > pre_tag_map: ./my.pretag.map > > > then edited my.pretag.map as follows: > set_tag=4 filter='net 0.0.0.0/0' Again, nfprobe_direction is missing. nfprobe_ifindex is in addition to nfprobe_direction but i reckon the documentation in QUICKSTART may be confusing and definitiely it misses an example where all the pieces are put together (will fix this asap). So imagine you have prefix X.X.X.X connected on interface 10 and Y.Y.Y.Y connected on interface 20, this should be the config: nfprobe_direction: tag nfprobe_ifindex: tag2 pre_tag_map: /path/to/pretag.map Then in pretag.map: set_tag=1 filter='src net X.X.X.X' jeq=eval_ifindex set_tag=2 filter='dst net X.X.X.X' jeq=eval_ifindex set_tag=1 filter='src net Y.Y.Y.Y' jeq=eval_ifindex set_tag=2 filter='dst net Y.Y.Y.Y' jeq=eval_ifindex set_tag=999 filter='net 0.0.0.0/0' set_tag2=10 filter='src net X.X.X.X' label=eval_ifindex set_tag2=10 filter='dst net X.X.X.X' set_tag2=20 filter='src net Y.Y.Y.Y' set_tag2=20 filter='dst net Y.Y.Y.Y' Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1
Hi Paolo, On 07/17/2015 01:58 AM, Paolo Lucente wrote: Hi Steve, libpcap does not report such info due to no integration with the underlying OS. This is an advantage of using ULOG due to its tight coupling to the OS. Plus, in the QUICKSTART document "Quickstart guide to setup a NetFlow agent/probe" chapter it is described how pmacct can help setting direction and interface indexes basing on MAC or IP addresses. In my case I just need to be able to have one value in the InputInt: and OutputInt: fields, it doesn't need to be set based on any criteria. I have read both the CONFIG-KEYS and the QUICKSTART guide, though I am not sure I understand them completely. Am I not able to simply put something like: interface: p4p1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, out_iface plugins: nfprobe[p4p1] nfprobe_receiver: 10.0.129.71:2055 nfprobe_version: 9 nfprobe_ifindex[p4p1]: 4 in my config file? I tried to use a pre-tag filter like nfprobe_ifindex[p4p1]: tag pre_tag_map: ./my.pretag.map then edited my.pretag.map as follows: set_tag=4 filter='net 0.0.0.0/0' and still only saw the value 0 in the InputInt: and OutputInt: fields. Thanks for taking the time to respond and making pmacct available. Cheers, Paolo On Thu, Jul 16, 2015 at 12:27:01PM -0400, Steve Clark wrote: Hello, I have read the discussing in this email thread: https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg02187.html But still can't see anything but zero in the InputInt: and OutputInt: when looking at the exported packets with wireshark: Here is my simple config - could someone explain what I am doing wrong? ! ! pmacctd configuration example ! ! Did you know CONFIG-KEYS contains the detailed list of all configuration keys ! supported by 'nfacctd' and 'pmacctd' ? ! ! debug: true daemonize: false interface: p4p1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, out_iface plugins: nfprobe[p4p1] nfprobe_receiver: 10.0.129.71:2055 nfprobe_version: 9 nfprobe_ifindex[p4p1]: 4 ! nfprobe_engine: 1:1 ! nfprobe_timeouts: tcp=120:maxlife=3600 ! ! networks_file: /path/to/networks.lst ! classifiers: /path/to/classifiers/ ! snaplen: 700 Startup command: sudo ../src/pmacctd -f ./probe_netflow.conf INFO ( default/core ): Reading configuration file '/var/lib/pgsql/pmacct-1.5.1/examples/probe_netflow.conf'. INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on softflowd 0.9.7 software, Copyright 2002 Damien Miller All rights reserved. INFO ( p4p1/nfprobe ): TCP timeout: 3600s INFO ( p4p1/nfprobe ): TCP post-RST timeout: 120s INFO ( p4p1/nfprobe ): TCP post-FIN timeout: 300s INFO ( p4p1/nfprobe ): UDP timeout: 300s INFO ( p4p1/nfprobe ): ICMP timeout: 300s INFO ( p4p1/nfprobe ): General timeout: 3600s INFO ( p4p1/nfprobe ): Maximum lifetime: 604800s INFO ( p4p1/nfprobe ): Expiry interval: 60s INFO ( p4p1/nfprobe ): Exporting flows to [10.0.129.71]:iop OK ( default/core ): link type is: 1 WARN ( default/core ): p4p1: no IPv4 address assigned ^CWARN ( p4p1/nfprobe ): Shutting down on user request. OK: Exiting ... Thanks, -- Stephen Clark ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1
Hi Steve, libpcap does not report such info due to no integration with the underlying OS. This is an advantage of using ULOG due to its tight coupling to the OS. Plus, in the QUICKSTART document "Quickstart guide to setup a NetFlow agent/probe" chapter it is described how pmacct can help setting direction and interface indexes basing on MAC or IP addresses. Cheers, Paolo On Thu, Jul 16, 2015 at 12:27:01PM -0400, Steve Clark wrote: > Hello, > > I have read the discussing in this email thread: > https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg02187.html > But still can't see anything but zero in the InputInt: and OutputInt: when > looking at the exported packets with > wireshark: > > > Here is my simple config - could someone explain what I am doing wrong? > > ! > ! pmacctd configuration example > ! > ! Did you know CONFIG-KEYS contains the detailed list of all configuration > keys > ! supported by 'nfacctd' and 'pmacctd' ? > ! > ! debug: true > daemonize: false > interface: p4p1 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, > out_iface > plugins: nfprobe[p4p1] > nfprobe_receiver: 10.0.129.71:2055 > nfprobe_version: 9 > nfprobe_ifindex[p4p1]: 4 > ! nfprobe_engine: 1:1 > ! nfprobe_timeouts: tcp=120:maxlife=3600 > ! > ! networks_file: /path/to/networks.lst > ! classifiers: /path/to/classifiers/ > ! snaplen: 700 > > Startup command: > > sudo ../src/pmacctd -f ./probe_netflow.conf > INFO ( default/core ): Reading configuration file > '/var/lib/pgsql/pmacct-1.5.1/examples/probe_netflow.conf'. > INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on softflowd > 0.9.7 software, Copyright 2002 Damien Miller All rights > reserved. > INFO ( p4p1/nfprobe ): TCP timeout: 3600s > INFO ( p4p1/nfprobe ): TCP post-RST timeout: 120s > INFO ( p4p1/nfprobe ): TCP post-FIN timeout: 300s > INFO ( p4p1/nfprobe ): UDP timeout: 300s > INFO ( p4p1/nfprobe ): ICMP timeout: 300s > INFO ( p4p1/nfprobe ): General timeout: 3600s > INFO ( p4p1/nfprobe ): Maximum lifetime: 604800s > INFO ( p4p1/nfprobe ): Expiry interval: 60s > INFO ( p4p1/nfprobe ): Exporting flows to [10.0.129.71]:iop > OK ( default/core ): link type is: 1 > WARN ( default/core ): p4p1: no IPv4 address assigned > ^CWARN ( p4p1/nfprobe ): Shutting down on user request. > OK: Exiting ... > > Thanks, > > -- > Stephen Clark > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists