Re: [pmacct-discussion] Nfacct - Missing src_port, and dst_port

2016-04-13 Thread Paolo Lucente
Hi Baseem,

The ports_file is not influencial on your original issue - it would only
allow you to narrow down ports to a set of interest (for the sake of not
getting too much data). Ports are in the template so this looks weird: can
you send privately a brief trace of some IPFIX flows (and template so to
be able to decode them)? This is for inspecting them and replaying in lab.

Cheers,
Paolo

On Tue, Apr 12, 2016 at 05:02:51PM +0200, bassem zaki wrote:
> Hello again,
> 
> While searching I found that I should add "ports_file:" primitive but I
> didn't work for me.
> 
> BR,
> Bassem
> 
> On Tue, Apr 12, 2016 at 12:37 PM, bassem zaki 
> wrote:
> 
> > Hello all,
> >
> > I'm new to pmacct and I'm trying to collect IPFIX flows sent from a cisco
> > router using nfacctd and mysql plugin. The problem is I'm not able to
> > collect src_port and dst_port although I'm able to collect them using
> > another netflow collector (SILK).
> >
> > *nfacct.conf:*
> >
> > daemonize: false
> > aggregate[dummy]: src_host, dst_host, src_port, dst_port
> > nfacctd_port: 4739
> > nfacctd_time_new: true
> > plugins: mysql[dummy]
> > sql_db: pmacct
> > sql_table: acct
> > sql_table_version: 1
> > sql_passwd: 
> > sql_user: 
> > sql_refresh_time: 90
> > sql_history: 10m
> > sql_history_roundoff: mh
> >
> > 
> >
> > +-+-+--+---+--+--+--+-+---+-+-+
> > | mac_src | mac_dst | ip_src   | ip_dst| src_port |
> > dst_port | ip_proto | packets | bytes | stamp_inserted  |
> > stamp_updated   |
> >
> > +-+-+--+---+--+--+--+-+---+-+-+
> > | 0:0:0:0:0:0 | 0:0:0:0:0:0 | XX.XX.XX.XX | XX.XX.XX.XX |0
> > |0 | ip   |   1 |   143 | 2016-04-12 11:50:00 | 2016-04-12
> > 11:54:01 |
> >
> > +-+-+--+---+--+--+--+-+---+-+-+
> > 
> >
> > 
> > DEBUG ( default/core ): NfV10 agent : :::XX.XX.XX.XX:256
> > DEBUG ( default/core ): NfV10 template type : flow
> > DEBUG ( default/core ): NfV10 template ID   : 269
> > DEBUG ( default/core ): 
> > DEBUG ( default/core ): | field type | offset |  size  |
> > DEBUG ( default/core ): | IPv4 src addr  |  0 |  4 |
> > DEBUG ( default/core ): | IPv4 dst addr  |  4 |  4 |
> > DEBUG ( default/core ): | L4 src port|  8 |  2 |
> > DEBUG ( default/core ): | L4 dst port| 10 |  2 |
> > DEBUG ( default/core ): | in bytes   | 12 |  4 |
> > DEBUG ( default/core ): | in packets | 16 |  4 |
> > DEBUG ( default/core ): 
> > .
> > .
> > DEBUG ( dummy/mysql ): INSERT INTO `acct` (stamp_updated, stamp_inserted,
> > ip_src, ip_dst, src_port, dst_port, ip_proto, mac_src, mac_dst, packets,
> > bytes) VALUES (FROM_UNIXTIME(1460456228), FROM_UNIXTIME(1460455800),
> > 'XX.XX.XX.XX', 'XX.XX.XX.XX', 0, 0, 'ip', '0:0:0:0:0:0', '0:0:0:0:0:0', 1,
> > 123)
> > 
> >
> > BR,
> > Bassem Zaki
> >

> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists


[pmacct-discussion] Nfacct - Missing src_port, and dst_port

2016-04-12 Thread bassem zaki
Hello all,

I'm new to pmacct and I'm trying to collect IPFIX flows sent from a cisco
router using nfacctd and mysql plugin. The problem is I'm not able to
collect src_port and dst_port although I'm able to collect them using
another netflow collector (SILK).

*nfacct.conf:*

daemonize: false
aggregate[dummy]: src_host, dst_host, src_port, dst_port
nfacctd_port: 4739
nfacctd_time_new: true
plugins: mysql[dummy]
sql_db: pmacct
sql_table: acct
sql_table_version: 1
sql_passwd: 
sql_user: 
sql_refresh_time: 90
sql_history: 10m
sql_history_roundoff: mh


+-+-+--+---+--+--+--+-+---+-+-+
| mac_src | mac_dst | ip_src   | ip_dst| src_port |
dst_port | ip_proto | packets | bytes | stamp_inserted  |
stamp_updated   |
+-+-+--+---+--+--+--+-+---+-+-+
| 0:0:0:0:0:0 | 0:0:0:0:0:0 | XX.XX.XX.XX | XX.XX.XX.XX |0 |
0 | ip   |   1 |   143 | 2016-04-12 11:50:00 | 2016-04-12 11:54:01 |
+-+-+--+---+--+--+--+-+---+-+-+



DEBUG ( default/core ): NfV10 agent : :::XX.XX.XX.XX:256
DEBUG ( default/core ): NfV10 template type : flow
DEBUG ( default/core ): NfV10 template ID   : 269
DEBUG ( default/core ): 
DEBUG ( default/core ): | field type | offset |  size  |
DEBUG ( default/core ): | IPv4 src addr  |  0 |  4 |
DEBUG ( default/core ): | IPv4 dst addr  |  4 |  4 |
DEBUG ( default/core ): | L4 src port|  8 |  2 |
DEBUG ( default/core ): | L4 dst port| 10 |  2 |
DEBUG ( default/core ): | in bytes   | 12 |  4 |
DEBUG ( default/core ): | in packets | 16 |  4 |
DEBUG ( default/core ): 
.
.
DEBUG ( dummy/mysql ): INSERT INTO `acct` (stamp_updated, stamp_inserted,
ip_src, ip_dst, src_port, dst_port, ip_proto, mac_src, mac_dst, packets,
bytes) VALUES (FROM_UNIXTIME(1460456228), FROM_UNIXTIME(1460455800),
'XX.XX.XX.XX', 'XX.XX.XX.XX', 0, 0, 'ip', '0:0:0:0:0:0', '0:0:0:0:0:0', 1,
123)


BR,
Bassem Zaki
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists