Hi Paolo, My comments inline.
Thanx, Alex On Tue, Sep 13, 2016 at 1:04 PM, Paolo Lucente <pa...@pmacct.net> wrote: > > Hi Alex, > > Inline: > > On Sun, Sep 11, 2016 at 11:45:44PM +0300, Abi Askushi wrote: > > > 1. Is there a pmacct plugin to get traffic flows from connection tracking > > system, like ulogd2 with NFCT plugin? > > Not being familiar with this, can you elaborate what it does? An example > would be much appreciated. > This is done using ulogd2 running with NFCT plugin. Then ulogd probes events from connection tracking system (events can be filtered: destroy, new, etc) and can print or store the flows in DB. The flows that can be fetched are like the output of command "conntrack -L". The pro of this approach is that you get the real source and destination when have to deal with NATed traffic. A very nice example is at https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/. The negative side of this approach is how to handle long lasting sessions that are not fetched (at least I didn't figure out how to do that) in case the device is rebooted, resulting in lost accounting traffic. > > 2. NFLOG + uacctd: is there any way to aggregate/filter collected packets > > with uacctd as received from NFLOG, according to the fwmark value set > with > > MARK at iptables ? If no, is there any recommended alternate approach? > > No, as i suspect this MARK action does not really mark/stamp the packet > itself but mangles with an external header. But knowing more precisely > what this MARK does, we can certainly make it an item we can tag upon, > or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need (your) > support. > As you said, the MARK is an association that is done from netfilter and it does not affect packet header. This means that I'm left with the option to alter packet header to be able to tag it. Can you recommend which packet header to alter to be able to tag? > > > 3. pmacctd Netflow v9 exports: when collecting flows with nfacctd > generated > > with pmacctd+nfprobe plugin, the interface index (in_iface, out_iface) > was > > showing always 0. Am I missing sth? > > Did you read the QUICKSTART document section "Quickstart guide to setup a > NetFlow agent/probe"? Towards the end it starts speaking about interfaces, > direction and tags. It essentially says: libpcap is detached from the OS > and hence has no concept of interfaces and such; you need to issue a tag, > ie. basing on source/destination MAC address, in order to populate the > interface and/or direction fields of a generated NetFlow/IPFIX packet. Let > me know if the case is you are already doing this and it's not working; if > not (your config suggests you are not) here is a pointer to the doc: > > https://github.com/pmacct/pmacct/blob/master/QUICKSTART > > Seems I've missed that. Thank you for pointing out. > ULOG/NFLOG is instead integrated in the Linux OS and hence would return you > interfaces no problem. > Agree. > > Cheers, > Paolo > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists