Re: [pmacct-discussion] peer_src_ip empty

2019-10-19 Thread Paolo Lucente 


Hi Brooks,

peer_src_ip is definitely the primitive you are looking for. From the
previous thread i have a suspect: you may be using the wrong daemon.
What daemon are you running? Is it possible you want to collect NetFlow/
IPFIX or sFlow but you are running pmacctd? That would explain. Just in
case this is the right path, please see here the list of daemons and
what they do:

https://github.com/pmacct/pmacct/blob/master/QUICKSTART#L30-#L106

Paolo
 
On Sat, Oct 19, 2019 at 01:31:23PM -0400, Brooks Swinnerton wrote:
> Hello again,
> 
> I'm trying to determine the host that is sending the flows and it sounds
> like peer_src_ip is what I want, but for some reason it's always empty.
> 
> Here is my config:
> 
> ```
> !
> ! pmacctd configuration example
> !
> ! Did you know CONFIG-KEYS contains the detailed list of all configuration
> keys
> ! supported by 'nfacctd' and 'pmacctd' ?
> !
> ! debug: true
> daemonize: false
> pcap_interfaces_map: /etc/pmacct/interfaces.map
> pmacctd_as: bgp
> pmacctd_net: bgp
> sampling_rate: 1
> !
> bgp_daemon: true
> bgp_daemon_ip: 127.0.0.2
> bgp_daemon_port: 180
> bgp_daemon_max_peers: 10
> bgp_agent_map: /etc/pmacct/peering_agent.map
> !
> aggregate: src_host, dst_host, src_port, dst_port, src_as, dst_as,
> peer_src_ip, proto
> !
> plugins: kafka
> kafka_output: json
> kafka_broker_host: kafka.fqdn.com
> kafka_topic: pmacct.acct
> kafka_refresh_time: 5
> kafka_history: 5m
> kafka_history_roundoff: m
> ```
> 
> And here is `/etc/pmacct/interfaces.map`:
> 
> ```
> ifindex=100  ifname=ens3
> ifindex=200  ifname=ens4
> ```
> 
> And here is `/etc/pmacct/peering_agent.map`:
> 
> ```
> bgp_ip= ip=0.0.0.0/0
> ```
> 
> This is what I see in the Kafka JSON:
> 
> ```
> {"event_type": "purge", "as_src": 12876, "as_dst": 0, "peer_ip_src": "",
> "ip_src": "51.15.81.148", "ip_dst": "23.157.160.138", "port_src": 46330,
> "port_dst":
> 9050, "ip_proto": "tcp", "stamp_inserted": "2019-10-19 17:30:00",
> "stamp_updated": "2019-10-19 17:30:56", "packets": 1, "bytes": 588,
> "writer_id": "default_ka
> fka/2969"}
> ```

> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] peer_src_ip empty

2019-10-19 Thread Brooks Swinnerton 
Hello again,

I'm trying to determine the host that is sending the flows and it sounds
like peer_src_ip is what I want, but for some reason it's always empty.

Here is my config:

```
!
! pmacctd configuration example
!
! Did you know CONFIG-KEYS contains the detailed list of all configuration
keys
! supported by 'nfacctd' and 'pmacctd' ?
!
! debug: true
daemonize: false
pcap_interfaces_map: /etc/pmacct/interfaces.map
pmacctd_as: bgp
pmacctd_net: bgp
sampling_rate: 1
!
bgp_daemon: true
bgp_daemon_ip: 127.0.0.2
bgp_daemon_port: 180
bgp_daemon_max_peers: 10
bgp_agent_map: /etc/pmacct/peering_agent.map
!
aggregate: src_host, dst_host, src_port, dst_port, src_as, dst_as,
peer_src_ip, proto
!
plugins: kafka
kafka_output: json
kafka_broker_host: kafka.fqdn.com
kafka_topic: pmacct.acct
kafka_refresh_time: 5
kafka_history: 5m
kafka_history_roundoff: m
```

And here is `/etc/pmacct/interfaces.map`:

```
ifindex=100  ifname=ens3
ifindex=200  ifname=ens4
```

And here is `/etc/pmacct/peering_agent.map`:

```
bgp_ip= ip=0.0.0.0/0
```

This is what I see in the Kafka JSON:

```
{"event_type": "purge", "as_src": 12876, "as_dst": 0, "peer_ip_src": "",
"ip_src": "51.15.81.148", "ip_dst": "23.157.160.138", "port_src": 46330,
"port_dst":
9050, "ip_proto": "tcp", "stamp_inserted": "2019-10-19 17:30:00",
"stamp_updated": "2019-10-19 17:30:56", "packets": 1, "bytes": 588,
"writer_id": "default_ka
fka/2969"}
```
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists