Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1

2015-07-19 Thread Paolo Lucente
Hi Steve,

Inline:

On Fri, Jul 17, 2015 at 07:36:31AM -0400, Steve Clark wrote:

 Am I not able to simply put something like:
 
 interface: p4p1
 aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, 
 out_iface
 plugins: nfprobe[p4p1]
 nfprobe_receiver: 10.0.129.71:2055
 nfprobe_version: 9
 nfprobe_ifindex[p4p1]: 4
 
 in my config file?

Yes, just set nfprobe_direction to 'in' or 'out' and you should
start seeing interfaces populated. I'm afraid without something
dynamic based on a map you may hit a conceptual issue since you
should be capturing both directions of traffic. 

 I tried to use a pre-tag filter like
 nfprobe_ifindex[p4p1]: tag
 pre_tag_map: ./my.pretag.map
 
 
 then edited my.pretag.map as follows:
 set_tag=4 filter='net 0.0.0.0/0'

Again, nfprobe_direction is missing. nfprobe_ifindex is in
addition to nfprobe_direction but i reckon the documentation in
QUICKSTART may be confusing and definitiely it misses an example
where all the pieces are put together (will fix this asap). So
imagine you have prefix X.X.X.X connected on interface 10 and
Y.Y.Y.Y connected on interface 20, this should be the config:

nfprobe_direction: tag
nfprobe_ifindex: tag2
pre_tag_map: /path/to/pretag.map

Then in pretag.map:

set_tag=1   filter='src net X.X.X.X' jeq=eval_ifindex
set_tag=2   filter='dst net X.X.X.X' jeq=eval_ifindex
set_tag=1   filter='src net Y.Y.Y.Y' jeq=eval_ifindex
set_tag=2   filter='dst net Y.Y.Y.Y' jeq=eval_ifindex
set_tag=999 filter='net 0.0.0.0/0'

set_tag2=10 filter='src net X.X.X.X' label=eval_ifindex
set_tag2=10 filter='dst net X.X.X.X'
set_tag2=20 filter='src net Y.Y.Y.Y'
set_tag2=20 filter='dst net Y.Y.Y.Y'

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists


Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1

2015-07-17 Thread Steve Clark

Hi Paolo,

On 07/17/2015 01:58 AM, Paolo Lucente wrote:

Hi Steve,

libpcap does not report such info due to no integration with the
underlying OS. This is an advantage of using ULOG due to its tight
coupling to the OS. Plus, in the QUICKSTART document Quickstart
guide to setup a NetFlow agent/probe chapter it is described how
pmacct can help setting direction and interface indexes basing on
MAC or IP addresses.

In my case I just need to be able to have one value in the InputInt: and 
OutputInt:
fields, it doesn't need to be set based on any criteria. I have read both the 
CONFIG-KEYS
and the QUICKSTART guide, though I am not sure I understand them completely.

Am I not able to simply put something like:

interface: p4p1
aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, 
out_iface
plugins: nfprobe[p4p1]
nfprobe_receiver: 10.0.129.71:2055
nfprobe_version: 9
nfprobe_ifindex[p4p1]: 4

in my config file?

I tried to use a pre-tag filter like
nfprobe_ifindex[p4p1]: tag
pre_tag_map: ./my.pretag.map


then edited my.pretag.map as follows:
set_tag=4 filter='net 0.0.0.0/0'

and still only saw the value 0 in the InputInt: and OutputInt: fields.



Thanks for taking the time to respond and making pmacct available.




Cheers,
Paolo

On Thu, Jul 16, 2015 at 12:27:01PM -0400, Steve Clark wrote:

Hello,

I have read the discussing in this email thread:
https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg02187.html
But still can't see anything but zero in the InputInt: and OutputInt: when 
looking at the exported packets with
wireshark:


Here is my simple config - could someone explain what I am doing wrong?

!
! pmacctd configuration example
!
! Did you know CONFIG-KEYS contains the detailed list of all configuration keys
! supported by 'nfacctd' and 'pmacctd' ?
!
! debug: true
daemonize: false
interface: p4p1
aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, 
out_iface
plugins: nfprobe[p4p1]
nfprobe_receiver: 10.0.129.71:2055
nfprobe_version: 9
nfprobe_ifindex[p4p1]: 4
! nfprobe_engine: 1:1
! nfprobe_timeouts: tcp=120:maxlife=3600
!
! networks_file: /path/to/networks.lst
! classifiers: /path/to/classifiers/
! snaplen: 700

Startup command:

sudo ../src/pmacctd  -f ./probe_netflow.conf
INFO ( default/core ): Reading configuration file 
'/var/lib/pgsql/pmacct-1.5.1/examples/probe_netflow.conf'.
INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on softflowd 0.9.7 
software, Copyright 2002 Damien Miller d...@mindrot.org All rights reserved.
INFO ( p4p1/nfprobe ):   TCP timeout: 3600s
INFO ( p4p1/nfprobe ):  TCP post-RST timeout: 120s
INFO ( p4p1/nfprobe ):  TCP post-FIN timeout: 300s
INFO ( p4p1/nfprobe ):   UDP timeout: 300s
INFO ( p4p1/nfprobe ):  ICMP timeout: 300s
INFO ( p4p1/nfprobe ):   General timeout: 3600s
INFO ( p4p1/nfprobe ):  Maximum lifetime: 604800s
INFO ( p4p1/nfprobe ):   Expiry interval: 60s
INFO ( p4p1/nfprobe ): Exporting flows to [10.0.129.71]:iop
OK ( default/core ): link type is: 1
WARN ( default/core ): p4p1: no IPv4 address assigned
^CWARN ( p4p1/nfprobe ): Shutting down on user request.
OK: Exiting ...

Thanks,

--
Stephen Clark

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists




--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] netflow v9 ifindex always 0 - pmacct version 1.5.1

2015-07-17 Thread Paolo Lucente
Hi Steve,

libpcap does not report such info due to no integration with the
underlying OS. This is an advantage of using ULOG due to its tight
coupling to the OS. Plus, in the QUICKSTART document Quickstart
guide to setup a NetFlow agent/probe chapter it is described how
pmacct can help setting direction and interface indexes basing on
MAC or IP addresses. 

Cheers,
Paolo 

On Thu, Jul 16, 2015 at 12:27:01PM -0400, Steve Clark wrote:
 Hello,
 
 I have read the discussing in this email thread:
 https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg02187.html
 But still can't see anything but zero in the InputInt: and OutputInt: when 
 looking at the exported packets with
 wireshark:
 
 
 Here is my simple config - could someone explain what I am doing wrong?
 
 !
 ! pmacctd configuration example
 !
 ! Did you know CONFIG-KEYS contains the detailed list of all configuration 
 keys
 ! supported by 'nfacctd' and 'pmacctd' ?
 !
 ! debug: true
 daemonize: false
 interface: p4p1
 aggregate: src_host, dst_host, src_port, dst_port, proto, tos, in_iface, 
 out_iface
 plugins: nfprobe[p4p1]
 nfprobe_receiver: 10.0.129.71:2055
 nfprobe_version: 9
 nfprobe_ifindex[p4p1]: 4
 ! nfprobe_engine: 1:1
 ! nfprobe_timeouts: tcp=120:maxlife=3600
 !
 ! networks_file: /path/to/networks.lst
 ! classifiers: /path/to/classifiers/
 ! snaplen: 700
 
 Startup command:
 
 sudo ../src/pmacctd  -f ./probe_netflow.conf
 INFO ( default/core ): Reading configuration file 
 '/var/lib/pgsql/pmacct-1.5.1/examples/probe_netflow.conf'.
 INFO ( p4p1/nfprobe ): NetFlow probe plugin is originally based on softflowd 
 0.9.7 software, Copyright 2002 Damien Miller d...@mindrot.org All rights 
 reserved.
 INFO ( p4p1/nfprobe ):   TCP timeout: 3600s
 INFO ( p4p1/nfprobe ):  TCP post-RST timeout: 120s
 INFO ( p4p1/nfprobe ):  TCP post-FIN timeout: 300s
 INFO ( p4p1/nfprobe ):   UDP timeout: 300s
 INFO ( p4p1/nfprobe ):  ICMP timeout: 300s
 INFO ( p4p1/nfprobe ):   General timeout: 3600s
 INFO ( p4p1/nfprobe ):  Maximum lifetime: 604800s
 INFO ( p4p1/nfprobe ):   Expiry interval: 60s
 INFO ( p4p1/nfprobe ): Exporting flows to [10.0.129.71]:iop
 OK ( default/core ): link type is: 1
 WARN ( default/core ): p4p1: no IPv4 address assigned
 ^CWARN ( p4p1/nfprobe ): Shutting down on user request.
 OK: Exiting ...
 
 Thanks,
 
 -- 
 Stephen Clark
 

 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists