Re: [pmacct-discussion] How to record ICMP and ICMP6 types/codes by pmacctd?
Hi, I see. I am sorry to confirm that, yes, the feature is not there right now. It's not a biggie but still it would require a bit of work in order to converge. I can gladly put on my todo list but it may take a few weeks to get it out; or if you could perform a small fun C coding work on you own, please get in touch by unicast email, i'd be happy to assist. Paolo On Mon, Apr 13, 2020 at 03:59:48PM -0400, fireballiso wrote: > > > > > > Hi Paolo, > > > > Sorry, I should have said I was > replacing the netflow *generators*, not collectors. My mistake! > > > > Yes, I posted the config that generates > the netflow 9 flows, since I hoped to see if it was missing > something for including the ICMP and ICMP6 types/codes. > > > -Indy > > > > > On 4/13/2020 8:59 AM, Paolo Lucente > wrote: > >cite="mid:20200413125955.gb16...@moussaka.pmacct.net"> > > Hi, > > Let me confirm that collecting the ICMP type is partially supported; the > native dst_port primitive is locked to UDP and TCP only - making this > not suitable for NetFlow v5 kind of scenarios; but if using NetFlow v9 > and/or IPFIX you could define your own custom primitive via the > aggregate_primitives infrastructure, see also an example here: > > href="https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example;>https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example > > By the way: you speak collecting NetFlow but your config example is > actually about the 'nfprobe' plugin, that is, generating NetFlow out of > raw traffic. Is that what you are after? > > Paolo > > On Sun, Apr 12, 2020 at 04:20:08PM -0400, fireballiso wrote: > > > Hi! I've started using pmacctd to > replace old netflow collectors for my > main and test networks, which run both IPv6 and IPv4. It works very > well, except that I haven't yet found a way to record the ICMP and ICMP6 > types and codes. > > In other collectors, these are often stored in the destination port > (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the > type and B is the code. For example, "3.1" would represent ICMP type 3 > (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP > and ICMP6 flows, but unfortunately, the destination port is always set > to "0.0", as if nothing is being recorded there. > > A simple config: > > daemonize: true > ! > interface: net1 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > plugins: nfprobe > nfprobe_receiver: 192.168.14.2:9997 > nfprobe_version: 9 > > > I haven't found documentation or examples that show how to enable > recording the types and codes, and no relevant primitives to add to the > aggregate statement. Would someone be able to tell me how to do this? > > Thank you! > > -Indy > > ___ > pmacct-discussion mailing list > href="http://www.pmacct.net/#mailinglists;>http://www.pmacct.net/#mailinglists > > > > ___ > pmacct-discussion mailing list > href="http://www.pmacct.net/#mailinglists;>http://www.pmacct.net/#mailinglists > > > > > -- > > -Indy > href="mailto:fireball...@yahoo.com;>fireball...@yahoo.com > > ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] How to record ICMP and ICMP6 types/codes by pmacctd?
Hi Paolo, Sorry, I should have said I was replacing the netflow *generators*, not collectors. My mistake! Yes, I posted the config that generates the netflow 9 flows, since I hoped to see if it was missing something for including the ICMP and ICMP6 types/codes. -Indy On 4/13/2020 8:59 AM, Paolo Lucente wrote: Hi, Let me confirm that collecting the ICMP type is partially supported; the native dst_port primitive is locked to UDP and TCP only - making this not suitable for NetFlow v5 kind of scenarios; but if using NetFlow v9 and/or IPFIX you could define your own custom primitive via the aggregate_primitives infrastructure, see also an example here: https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example By the way: you speak collecting NetFlow but your config example is actually about the 'nfprobe' plugin, that is, generating NetFlow out of raw traffic. Is that what you are after? Paolo On Sun, Apr 12, 2020 at 04:20:08PM -0400, fireballiso wrote: Hi! I've started using pmacctd to replace old netflow collectors for my main and test networks, which run both IPv6 and IPv4. It works very well, except that I haven't yet found a way to record the ICMP and ICMP6 types and codes. In other collectors, these are often stored in the destination port (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the type and B is the code. For example, "3.1" would represent ICMP type 3 (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP and ICMP6 flows, but unfortunately, the destination port is always set to "0.0", as if nothing is being recorded there. A simple config: daemonize: true ! interface: net1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos plugins: nfprobe nfprobe_receiver: 192.168.14.2:9997 nfprobe_version: 9 I haven't found documentation or examples that show how to enable recording the types and codes, and no relevant primitives to add to the aggregate statement. Would someone be able to tell me how to do this? Thank you! -Indy ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists -- -Indy fireball...@yahoo.com ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] How to record ICMP and ICMP6 types/codes by pmacctd?
Hi, Let me confirm that collecting the ICMP type is partially supported; the native dst_port primitive is locked to UDP and TCP only - making this not suitable for NetFlow v5 kind of scenarios; but if using NetFlow v9 and/or IPFIX you could define your own custom primitive via the aggregate_primitives infrastructure, see also an example here: https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example By the way: you speak collecting NetFlow but your config example is actually about the 'nfprobe' plugin, that is, generating NetFlow out of raw traffic. Is that what you are after? Paolo On Sun, Apr 12, 2020 at 04:20:08PM -0400, fireballiso wrote: > Hi! I've started using pmacctd to replace old netflow collectors for my > main and test networks, which run both IPv6 and IPv4. It works very > well, except that I haven't yet found a way to record the ICMP and ICMP6 > types and codes. > > In other collectors, these are often stored in the destination port > (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the > type and B is the code. For example, "3.1" would represent ICMP type 3 > (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP > and ICMP6 flows, but unfortunately, the destination port is always set > to "0.0", as if nothing is being recorded there. > > A simple config: > > daemonize: true > ! > interface: net1 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > plugins: nfprobe > nfprobe_receiver: 192.168.14.2:9997 > nfprobe_version: 9 > > > I haven't found documentation or examples that show how to enable > recording the types and codes, and no relevant primitives to add to the > aggregate statement. Would someone be able to tell me how to do this? > > Thank you! > > -Indy > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] How to record ICMP and ICMP6 types/codes by pmacctd?
Hi! I've started using pmacctd to replace old netflow collectors for my main and test networks, which run both IPv6 and IPv4. It works very well, except that I haven't yet found a way to record the ICMP and ICMP6 types and codes. In other collectors, these are often stored in the destination port (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the type and B is the code. For example, "3.1" would represent ICMP type 3 (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP and ICMP6 flows, but unfortunately, the destination port is always set to "0.0", as if nothing is being recorded there. A simple config: daemonize: true ! interface: net1 aggregate: src_host, dst_host, src_port, dst_port, proto, tos plugins: nfprobe nfprobe_receiver: 192.168.14.2:9997 nfprobe_version: 9 I haven't found documentation or examples that show how to enable recording the types and codes, and no relevant primitives to add to the aggregate statement. Would someone be able to tell me how to do this? Thank you! -Indy ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
