Hi Luca, it's mirrored traffic. Does --if-networks option apply only for traffic originated/received by the machine?
M. On 12/01/2017 10:40 AM, Luca Deri wrote: > Matěj, > the problem of -b is that the rest of the CLI was not parsed. > > What type of traffic did you attach to fge1? Is traffic > originated/received by the machine or is traffic mirrored to it? Can you > please check this? > > Thanks Luca > > On 11/23/2017 09:42 PM, Matěj Grégr wrote: >> Hello Luca, >> hm, I don't see any difference. I tried to run cento from command line >> using the following command: >> >> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1 >> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >> >> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5. >> However, I still see input and output interface set to 1 and 2. >> >> Tried also with --if-networks @cento-networks >> # cat cento-networks >> 68:05:CA:34:89:C0@5 >> >> But without success. >> >> M. >> >> On 21.11.2017 14:13, Luca Deri wrote: >>> Hi Matěj, >>> >>> please change >>> >>> D=0 >>> --syslog=cento >>> -b *<=== REMOVE* >>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>> >>> >>> (remove -b) >>> >>> and it will work >>> >>> Regards Luca >>> >>> On 11/20/2017 05:21 PM, Matěj Grégr wrote: >>>> Hello Luca, >>>> I tried to use the following cento.conf: >>>> >>>> # cat /etc/cento/cento.conf >>>> -p=/var/run/cento.pid >>>> -t=30 >>>> -d=20 >>>> -9=x.x.x.x:9998 >>>> -i=fge1 >>>> -i=fge2 >>>> -g=0,1 >>>> -G=2,3 >>>> -D=0 >>>> --syslog=cento >>>> -b >>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>>> >>>> M. >>>> >>>> On 20.11.2017 12:17, Luca Deri wrote: >>>>> Matej, >>>>> can you please share the flow command line you are using? >>>>> >>>>> Luca >>>>> >>>>>> On 18 Nov 2017, at 21:21, Matěj Grégr <[email protected]> wrote: >>>>>> >>>>>> Hello, >>>>>> following and older thread: >>>>>> >>>>>> On 10.02.2017 14:54, Luca Deri wrote: >>>>>>> Hi Jesse >>>>>>> please see below >>>>>>> >>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote: >>>>>>>> First issue: >>>>>>>> We are using cento to send netflow to multiple collectors for >>>>>>>> analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We >>>>>>>> are sending as version 5 netflow, which has a field for the interface. >>>>>>>> >>>>>>>> Bytes 12-13, and 14-15 in the flow record >>>>>>>> 12-13 | input | SNMP index of input interface >>>>>>>> 14-15 | output | SNMP index of output interface >>>>>>>> All of the flow packets are coming through with either "1" or "2" for >>>>>>>> those values, which is causing problems with our Kentik service and an >>>>>>>> internal collector. >>>>>>>> >>>>>>>> It appears this has been brought up before, but there isn't a solution >>>>>>>> mentioned. >>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/ >>>>>>>> >>>>>>>> How do we get cento to correctly report the interface ID? >>>>>>> In the current cento (devel) you can do >>>>>>> --iface-id <in>:<out> | Set input/output interfaceId >>>>>>> in exported flows >>>>>>> where >>>>>>> - interface indexes and (router) MAC/IP addresses >>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers >>>>>>> for emitted flows. >>>>>>> However using --if-networks it is possible to specify an interface >>>>>>> identifier to which >>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is: >>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated >>>>>>> by a comma (,). >>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or >>>>>>> --if-networks @<filename> where <filename> is a file path containing >>>>>>> the networks >>>>>>> specified using the above format. >>>>>>> >>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from >>>>>> cento are exported with if interface 1, out interface 2. >>>>>> >>>>>> I mirror traffic from router to the following two interfaces on cento >>>>>> box: >>>>>> >>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq >>>>>> state UP mode DEFAULT qlen 1000 >>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff >>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq >>>>>> state UP mode DEFAULT qlen 1000 >>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff >>>>>> >>>>>> I tried to set the interface indexes to 5 and 6 using: >>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6" >>>>>> >>>>>> However, I still see only 1 for incomming and 2 for outgoing index in >>>>>> flow data: >>>>>> >>>>>> Flow Record: >>>>>> Flags = 0x00 FLOW, Unsampled >>>>>> <snip> >>>>>> input = 1 >>>>>> output = 2 >>>>>> >>>>>> Running cento --version >>>>>> v.1.3.171116 >>>>>> >>>>>> Any idea what I am doing wrong? >>>>>> >>>>>> Thanks, >>>>>> Matej >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
