[pmacct-discussion] [nfacctd] aggregate_filter

2010-08-24 Thread Borys Owczarzak 

Hi!

I would like to logging some traffic to database:
TCP packets with flags SYN or FIN or RST to table kancelaria
UDP packets (1-of-100) to table dupa
ICMP packets (1-of-100) to table icmp.

My test configuration:
!START CONFIGURATION
daemonize: true
pidfile: /var/run/pmacctd.pid
syslog: daemon
!FOR PMACCTD USE PROMISC: TRUE
!promisc: true
!FOR NFACCTD USE NFACCTD_PORT: 2055
nfacctd_port: 2055
interface: eth2
aggregate[kancelaria]: src_host, dst_host, src_port, dst_port, tcpflags
aggregate[dupa]:src_host, dst_host, src_port, dst_port
aggregate[icmpe]:src_host, dst_host, src_port, dst_port
aggregate_filter[kancelaria]: tcp[tcpflags]  (tcp-syn) != 0 || 
tcp[tcpflags]   (tcp-fin) !=0 || tcp[tcpflags]   (tcp-rst) !=0

aggregate_filter[dupa]: udp
aggregate_filter[icmpe]: icmp
sampling_rate[icmpe]:100
sampling_rate[dupa]:100
plugins: mysql[kancelaria], mysql[dupa], mysql[icmpe]
sql_db: pmacct
sql_optimize_clauses: true
sql_table[dupa]: dupa
sql_table[kancelaria]: kancelaria
sql_table[icmpe]: icmpe
sql_user: root
sql_passwd: regedit4
sql_dont_try_update: true
sql_refresh_time: 1
sql_history: 1d
!STOP CONFIGURATION

I try it at pmacctd and nfacctd. When I use pmacct everything works 
great. But problem is with nfacctd. It does not save data to kancelaria 
table. When I erase from configuration aggregate_filter[kancelaria]: 
when it saves packet.


Somebody know why nfacct has got problem with these aggregate_filter?

PS aggregate_filter[dupa] and aggregate_filter[icmpe] wors correctly.

Kind regards
Borys Owczarzak

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] [nfacctd] aggregate_filter

2010-08-24 Thread Paolo Lucente 
Hi Borys,

I can confirm you filtering on TCP flags is currently not possible
in both nfacctd and sfacctd. Such implementation is not major work
and can be done pretty quickly - i can drop you an email privately
when the code is available in the CVS so you can test it working?

Apart from the above, just to be on the same page, you are already
sure TCP flags in NetFlow will work for your scenario? NetFlow ORs
all the TCP flags seen for a certain uni-directional flow up to the
moment it's set for expiration. So if counting flags, for example,
you should not seek for a full match but rather test with a logical
AND.

Cheers,
Paolo

 
On Tue, Aug 24, 2010 at 05:47:33PM +0200, Borys Owczarzak wrote:
 Hi!

 I would like to logging some traffic to database:
 TCP packets with flags SYN or FIN or RST to table kancelaria
 UDP packets (1-of-100) to table dupa
 ICMP packets (1-of-100) to table icmp.

 My test configuration:
 !START CONFIGURATION
 daemonize: true
 pidfile: /var/run/pmacctd.pid
 syslog: daemon
 !FOR PMACCTD USE PROMISC: TRUE
 !promisc: true
 !FOR NFACCTD USE NFACCTD_PORT: 2055
 nfacctd_port: 2055
 interface: eth2
 aggregate[kancelaria]: src_host, dst_host, src_port, dst_port, tcpflags
 aggregate[dupa]:src_host, dst_host, src_port, dst_port
 aggregate[icmpe]:src_host, dst_host, src_port, dst_port
 aggregate_filter[kancelaria]: tcp[tcpflags]  (tcp-syn) != 0 ||  
 tcp[tcpflags]   (tcp-fin) !=0 || tcp[tcpflags]   (tcp-rst) !=0
 aggregate_filter[dupa]: udp
 aggregate_filter[icmpe]: icmp
 sampling_rate[icmpe]:100
 sampling_rate[dupa]:100
 plugins: mysql[kancelaria], mysql[dupa], mysql[icmpe]
 sql_db: pmacct
 sql_optimize_clauses: true
 sql_table[dupa]: dupa
 sql_table[kancelaria]: kancelaria
 sql_table[icmpe]: icmpe
 sql_user: root
 sql_passwd: regedit4
 sql_dont_try_update: true
 sql_refresh_time: 1
 sql_history: 1d
 !STOP CONFIGURATION

 I try it at pmacctd and nfacctd. When I use pmacct everything works  
 great. But problem is with nfacctd. It does not save data to kancelaria  
 table. When I erase from configuration aggregate_filter[kancelaria]:  
 when it saves packet.

 Somebody know why nfacct has got problem with these aggregate_filter?

 PS aggregate_filter[dupa] and aggregate_filter[icmpe] wors correctly.

 Kind regards
 Borys Owczarzak

 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists