Re: [pmacct-discussion] Only packets from router to netflow server
Hi Mattias, From what i read so far I believe the pesky bit here is that you are using pmacctd (which is the libpcap-based daemon) rather than nfacctd (which is the NetFlow collector daemon, which collects and analyses/dissects NetFlow packets). Cheers, Paolo On Fri, Aug 19, 2016 at 12:37:39PM +, Mattias Larsson wrote: > Hi Markus, > > Not sure what you mean with that the server does NOT accept/process the > packets due to it target to another MAC address. > > I thought the pmacctd used the libpcap the same way that tcpdump does and > analyses packets. But with tcpdump I have to use -vvv the all of the packet. > > This is what I get when i'm writing to plain text-file. > > SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,TOS,PACKETS,FLOWS,BYTES > 192.168.1.1,172.16.0.100,52043,2055,udp,0,10,1,2416 > > 192.168.1.1 = router > 172.16.0.100 = Netflow-server (not same server where I'm running pmacct on) > > My server with pmacct has an interface (eth2) without any ip configurations > connected to the same switch as the netflow-server. The server recieves all > udp/2055 packets from the switch (SPAN) > > Iptables are disabled on the server. > > > /Mattias > > > On Fri, Aug 19, 2016 at 1:00 PM Markus Weber <f...@uucp.de> wrote: > > > Hi Matthias, > > > > could it be that your hosts does NOT accept/process the packets as those > > are targeted to another MAC address? If you run wireshark/tcpdump the > > interface to put into promiscuous mode to get them ... > > > > If all have the same dst mac just change your interface facing the SPAN > > port to it. > > > > > > Other than that: any host "firewall" rules active? > > > > > > Markus > > > > > > On 19.08.2016 11:21, Jentsch, Mario wrote: > > > > Hi Mattias, > > > > > > > > do you have a drawing of your setup? I have to admit that it is unclear to > > me… > > > > > > > > Thanks, > > > > Mario > > > > > > > > *From:* pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net > > <pmacct-discussion-boun...@pmacct.net>] *On Behalf Of *Mattias Larsson > > *Sent:* Thursday, August 18, 2016 1:36 PM > > *To:* pmacct-discussion@pmacct.net > > *Subject:* [pmacct-discussion] Only packets from router to netflow server > > > > > > > > > > > > I use a SPAN port on my switch to capture all netflow (udp 2055) packets > > and send it to a interface where my pmacct server has one extra interface > > connected to. > > > > > > > > But when I look on the traffic/packets that pmacctd genereates it seems > > only be the IP packets between my router and netflow server. It seems it > > not decodes the cisco netflow payload/data. > > > > > > > > When I do a tcpdump on the interface and look at it with wireshark I can > > see see the flows. > > > > > > > > Any suggestion what I'm doing wrong? > > > > > > > > Thanks in advance! > > > > > > Mattias > > > > > > ___ > > pmacct-discussion mailing listhttp://www.pmacct.net/#mailinglists > > > > > > ___ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Only packets from router to netflow server
Hi Markus, Not sure what you mean with that the server does NOT accept/process the packets due to it target to another MAC address. I thought the pmacctd used the libpcap the same way that tcpdump does and analyses packets. But with tcpdump I have to use -vvv the all of the packet. This is what I get when i'm writing to plain text-file. SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,TOS,PACKETS,FLOWS,BYTES 192.168.1.1,172.16.0.100,52043,2055,udp,0,10,1,2416 192.168.1.1 = router 172.16.0.100 = Netflow-server (not same server where I'm running pmacct on) My server with pmacct has an interface (eth2) without any ip configurations connected to the same switch as the netflow-server. The server recieves all udp/2055 packets from the switch (SPAN) Iptables are disabled on the server. /Mattias On Fri, Aug 19, 2016 at 1:00 PM Markus Weber <f...@uucp.de> wrote: > Hi Matthias, > > could it be that your hosts does NOT accept/process the packets as those > are targeted to another MAC address? If you run wireshark/tcpdump the > interface to put into promiscuous mode to get them ... > > If all have the same dst mac just change your interface facing the SPAN > port to it. > > > Other than that: any host "firewall" rules active? > > > Markus > > > On 19.08.2016 11:21, Jentsch, Mario wrote: > > Hi Mattias, > > > > do you have a drawing of your setup? I have to admit that it is unclear to > me… > > > > Thanks, > > Mario > > > > *From:* pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net > <pmacct-discussion-boun...@pmacct.net>] *On Behalf Of *Mattias Larsson > *Sent:* Thursday, August 18, 2016 1:36 PM > *To:* pmacct-discussion@pmacct.net > *Subject:* [pmacct-discussion] Only packets from router to netflow server > > > > > > I use a SPAN port on my switch to capture all netflow (udp 2055) packets > and send it to a interface where my pmacct server has one extra interface > connected to. > > > > But when I look on the traffic/packets that pmacctd genereates it seems > only be the IP packets between my router and netflow server. It seems it > not decodes the cisco netflow payload/data. > > > > When I do a tcpdump on the interface and look at it with wireshark I can > see see the flows. > > > > Any suggestion what I'm doing wrong? > > > > Thanks in advance! > > > Mattias > > > ___ > pmacct-discussion mailing listhttp://www.pmacct.net/#mailinglists > > > ___ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Only packets from router to netflow server
Hi Matthias, could it be that your hosts does NOT accept/process the packets as those are targeted to another MAC address? If you run wireshark/tcpdump the interface to put into promiscuous mode to get them ... If all have the same dst mac just change your interface facing the SPAN port to it. Other than that: any host "firewall" rules active? Markus On 19.08.2016 11:21, Jentsch, Mario wrote: Hi Mattias, do you have a drawing of your setup? I have to admit that it is unclear to me… Thanks, Mario *From:*pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] *On Behalf Of *Mattias Larsson *Sent:* Thursday, August 18, 2016 1:36 PM *To:* pmacct-discussion@pmacct.net *Subject:* [pmacct-discussion] Only packets from router to netflow server I use a SPAN port on my switch to capture all netflow (udp 2055) packets and send it to a interface where my pmacct server has one extra interface connected to. But when I look on the traffic/packets that pmacctd genereates it seems only be the IP packets between my router and netflow server. It seems it not decodes the cisco netflow payload/data. When I do a tcpdump on the interface and look at it with wireshark I can see see the flows. Any suggestion what I'm doing wrong? Thanks in advance! Mattias ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Only packets from router to netflow server
Hi Mattias, do you have a drawing of your setup? I have to admit that it is unclear to me… Thanks, Mario From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] On Behalf Of Mattias Larsson Sent: Thursday, August 18, 2016 1:36 PM To: pmacct-discussion@pmacct.net Subject: [pmacct-discussion] Only packets from router to netflow server I use a SPAN port on my switch to capture all netflow (udp 2055) packets and send it to a interface where my pmacct server has one extra interface connected to. But when I look on the traffic/packets that pmacctd genereates it seems only be the IP packets between my router and netflow server. It seems it not decodes the cisco netflow payload/data. When I do a tcpdump on the interface and look at it with wireshark I can see see the flows. Any suggestion what I'm doing wrong? Thanks in advance! Mattias ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
