Hi all,
I resolved this issue with Paolo off-list but post the resolution for the
benefit of others (with IP's sanitized). The solution for me was that all of
the traffic required 3 mpls's in the filter (mpls and mpls and mpls and ...
(rest of filter expression)
- matt
Hi Matt,
I see the traffic to 'w.x.y.z' is MPLS-labelled. It appears
there are 3 labels on the stack and they are all reported as zeroes
by tshark (doesn't make sense but that's how they get exported; but
maybe it's only a problem with tshark, i'm just busy and didn't have
time to see the hex code).
Anyway, can you try filtering as follos: 'mpls and mpls and mpls and
...' (ie. an mpls word per label on the stack) and see if it works
as intended? That should be the all the issue; filters processed by
libpcap are expected in such unfriendly (and unflexible) format.
To give you the full picture, ie. you might be exported mixed MPLS
(up to two labels) and IP traffic the filter should become something
on these lines:
'(...) or (mpls and ...) or (mpls and mpls and ...)'
Let me know.
Cheers,
Paolo
On Tue, May 05, 2009 at 10:50:31AM -0700, Matt Lawson wrote:
> Hi Paolo,
>
> I have a packet capture example, taken from tshark with the following command:
>
> /usr/sbin/tshark -c2000 -ni eth0 -R udp.port==5000 -w cap_paolo2
>
> I view it with the following command:
>
> /usr/sbin/tshark -r cap_paolo2 -d udp.port==5000,cflow -V
>
>
> With packets near the beginning I see the "no template found" but near the
> end it is able to decode the messages so I assume the template is received
> during that time.
>
> If you remember the problem I was having, it was that pmacct worked fine as
> long as I captured everything, but I was unable to narrow down the captures
> using the aggregate_filter option.
>
> There are two IP's of interest in this example:
>
> a.b.c.d:80 This one will appear in the pmacct dump when using
> aggregate_filter.
>
> w.x.y.z:80 This one will not appear when using aggregate_filter.
>
> I have since updated pmacct to version 0.11.6 but it doesn't seem to make
> [much] difference.
>
> Here is my config file:
>
> debug: true
> daemonize: false
> nfacctd_disable_checks: true
> plugins: print[total]
> aggregate[total]: dst_host, dst_port, src_host, src_port, proto
> aggregate_filter[total]: dst port 80
> print_cache_entries: 1000001
> print_refresh_time: 10
> plugin_pipe_size: 10240000
> plugin_buffer_size: 10240
> interface: eth0
> nfacctd_ip: e.f.g.h
> nfacctd_port: 5000
> logfile: /var/log/nfacctd.log
>
> The only thing I change between runs is to comment out the "aggregate_filter"
> line.
>
> I have also tried setting interface to 'eth0', 'any' and leaving it out
> (note: tshark used eth0).
>
> So, the mystery is why is one IP seen when using aggregate_filter and the
> other is not? I appreciate your help and I know you have other demands on
> your time.
>
> Thanks,
> Matt
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
