Hi Luca, ok, thanks. I totally misunderstood the option then. --iface-id is maybe more suitable for my needs. However, I have to probably split cento to two instances as I don't see how I could specific iface-id if run only one instance of cento. e.g. cento -i fge1 -i fge2. But I think that cento -i fge1 --iface-id 5:7 and cento -i fge2 --iface-id 6:7 will work.
M. On 01.12.2017 15:08, Luca Deri wrote: > Matej > it applies to the MAC address of the packets received by cento, not to the > MAC of the NIC receiving them > > Luca > > >> On 1 Dec 2017, at 10:55, Matěj Grégr <[email protected]> wrote: >> >> Hi Luca, >> it's mirrored traffic. Does --if-networks option apply only for >> traffic originated/received by the machine? >> >> M. >> >> On 12/01/2017 10:40 AM, Luca Deri wrote: >>> Matěj, >>> the problem of -b is that the rest of the CLI was not parsed. >>> >>> What type of traffic did you attach to fge1? Is traffic >>> originated/received by the machine or is traffic mirrored to it? Can you >>> please check this? >>> >>> Thanks Luca >>> >>> On 11/23/2017 09:42 PM, Matěj Grégr wrote: >>>> Hello Luca, >>>> hm, I don't see any difference. I tried to run cento from command line >>>> using the following command: >>>> >>>> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1 >>>> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>>> >>>> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5. >>>> However, I still see input and output interface set to 1 and 2. >>>> >>>> Tried also with --if-networks @cento-networks >>>> # cat cento-networks >>>> 68:05:CA:34:89:C0@5 >>>> >>>> But without success. >>>> >>>> M. >>>> >>>> On 21.11.2017 14:13, Luca Deri wrote: >>>>> Hi Matěj, >>>>> >>>>> please change >>>>> >>>>> D=0 >>>>> --syslog=cento >>>>> -b *<=== REMOVE* >>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>>>> >>>>> >>>>> (remove -b) >>>>> >>>>> and it will work >>>>> >>>>> Regards Luca >>>>> >>>>> On 11/20/2017 05:21 PM, Matěj Grégr wrote: >>>>>> Hello Luca, >>>>>> I tried to use the following cento.conf: >>>>>> >>>>>> # cat /etc/cento/cento.conf >>>>>> -p=/var/run/cento.pid >>>>>> -t=30 >>>>>> -d=20 >>>>>> -9=x.x.x.x:9998 >>>>>> -i=fge1 >>>>>> -i=fge2 >>>>>> -g=0,1 >>>>>> -G=2,3 >>>>>> -D=0 >>>>>> --syslog=cento >>>>>> -b >>>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6 >>>>>> >>>>>> M. >>>>>> >>>>>> On 20.11.2017 12:17, Luca Deri wrote: >>>>>>> Matej, >>>>>>> can you please share the flow command line you are using? >>>>>>> >>>>>>> Luca >>>>>>> >>>>>>>> On 18 Nov 2017, at 21:21, Matěj Grégr <[email protected]> wrote: >>>>>>>> >>>>>>>> Hello, >>>>>>>> following and older thread: >>>>>>>> >>>>>>>> On 10.02.2017 14:54, Luca Deri wrote: >>>>>>>>> Hi Jesse >>>>>>>>> please see below >>>>>>>>> >>>>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote: >>>>>>>>>> First issue: >>>>>>>>>> We are using cento to send netflow to multiple collectors for >>>>>>>>>> analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We >>>>>>>>>> are sending as version 5 netflow, which has a field for the >>>>>>>>>> interface. >>>>>>>>>> >>>>>>>>>> Bytes 12-13, and 14-15 in the flow record >>>>>>>>>> 12-13 | input | SNMP index of input interface >>>>>>>>>> 14-15 | output | SNMP index of output interface >>>>>>>>>> All of the flow packets are coming through with either "1" or "2" >>>>>>>>>> for those values, which is causing problems with our Kentik service >>>>>>>>>> and an internal collector. >>>>>>>>>> >>>>>>>>>> It appears this has been brought up before, but there isn't a >>>>>>>>>> solution mentioned. >>>>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/ >>>>>>>>>> >>>>>>>>>> How do we get cento to correctly report the interface ID? >>>>>>>>> In the current cento (devel) you can do >>>>>>>>> --iface-id <in>:<out> | Set input/output interfaceId >>>>>>>>> in exported flows >>>>>>>>> where >>>>>>>>> - interface indexes and (router) MAC/IP addresses >>>>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers >>>>>>>>> for emitted flows. >>>>>>>>> However using --if-networks it is possible to specify an interface >>>>>>>>> identifier to which >>>>>>>>> a MAC address or IP network is bound. The syntax of --if-networks >>>>>>>>> is: >>>>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated >>>>>>>>> by a comma (,). >>>>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or >>>>>>>>> --if-networks @<filename> where <filename> is a file path containing >>>>>>>>> the networks >>>>>>>>> specified using the above format. >>>>>>>>> >>>>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from >>>>>>>> cento are exported with if interface 1, out interface 2. >>>>>>>> >>>>>>>> I mirror traffic from router to the following two interfaces on cento >>>>>>>> box: >>>>>>>> >>>>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq >>>>>>>> state UP mode DEFAULT qlen 1000 >>>>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff >>>>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq >>>>>>>> state UP mode DEFAULT qlen 1000 >>>>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff >>>>>>>> >>>>>>>> I tried to set the interface indexes to 5 and 6 using: >>>>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6" >>>>>>>> >>>>>>>> However, I still see only 1 for incomming and 2 for outgoing index in >>>>>>>> flow data: >>>>>>>> >>>>>>>> Flow Record: >>>>>>>> Flags = 0x00 FLOW, Unsampled >>>>>>>> <snip> >>>>>>>> input = 1 >>>>>>>> output = 2 >>>>>>>> >>>>>>>> Running cento --version >>>>>>>> v.1.3.171116 >>>>>>>> >>>>>>>> Any idea what I am doing wrong? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Matej >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Ntop mailing list >>>>>>>> [email protected] >>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Ntop mailing list >>>>>>> [email protected] >>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Ntop mailing list >>>>>> [email protected] >>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Ntop mailing list >>>>> [email protected] >>>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
