Hi Bernd, I've rewritten the pretag.map a bit, achieving the desired results. The one you posted suffered of some issues, mainly: a) L3 filters should have been written as in 'vlan and <L3 stuff>', b) matching a VLAN tag was sufficient condition to pass through. Below the suggested pretag.map:
id=999 ip=94.125.26.124 filter='vlan 365' jeq=eval_ip_01 id=999 ip=94.125.26.124 filter='vlan 555' jeq=eval_ip_01 id=999 ip=94.125.26.124 filter='vlan 360' jeq=eval_ip_01 id=999 ip=94.125.26.124 filter='vlan 359' jeq=eval_ip_01 id=999 ip=94.125.26.124 filter='vlan 800' jeq=eval_ip_01 id=999 ip=94.125.26.124 filter='vlan 354' jeq=eval_ip_01 id=999 ip=94.125.26.124 id=999 ip=94.125.26.125 filter='vlan 365' jeq=eval_ip_02 id=999 ip=94.125.26.125 filter='vlan 555' jeq=eval_ip_02 id=999 ip=94.125.26.125 filter='vlan 360' jeq=eval_ip_02 id=999 ip=94.125.26.125 filter='vlan 359' jeq=eval_ip_02 id=999 ip=94.125.26.125 filter='vlan 800' jeq=eval_ip_02 id=999 ip=94.125.26.125 filter='vlan 354' jeq=eval_ip_02 id=999 ip=94.125.26.125 id=1 ip=94.125.26.124 filter='vlan and (dst net 192.76.141.0/24 or dst net 194.55.246.0/23 or dst net 195.246.160.0/19 or dst net 88.215.224.0/19)' label=eval_ip_01 id=2 ip=94.125.26.124 filter='vlan and (src net 192.76.141.0/24 or src net 194.55.246.0/23 or src net 195.246.160.0/19 or src net 88.215.224.0/19)' id=1 ip=94.125.26.125 filter='vlan and (dst net 192.76.141.0/24 or dst net 194.55.246.0/23 or dst net 195.246.160.0/19 or dst net 88.215.224.0/19)' label=eval_ip_02 id=2 ip=94.125.26.125 filter='vlan and (src net 192.76.141.0/24 or src net 194.55.246.0/23 or src net 195.246.160.0/19 or src net 88.215.224.0/19)' Running your config (but memory plugins for simplicity) and the above pretag.map against the pcap file you posted i obtain the following results: $ ./src/pmacct -s -p /tmp/in.pipe TAG VLAN DST_IP PACKETS BYTES 1 365 88.215.253.151 1 82 1 365 88.215.253.58 2 152 1 365 88.215.253.10 22 1540 For a total of: 3 entries $ ./src/pmacct -s -p /tmp/out.pipe TAG VLAN SRC_IP PACKETS BYTES 2 359 195.246.160.11 2 234 2 555 88.215.253.10 40 60880 2 359 195.246.160.12 1 126 2 800 192.76.141.5 2 136 For a total of: 4 entries Cheers, Paolo On Mon, Jul 04, 2011 at 11:33:36AM +0000, Bernd Bornkessel wrote: > Hi Paolo, > > I tried to implement it using the pretag filtering. My configuration is the > following: > > /etc/sfacct/sfacct.conf: > > [ ... ] > > /etc/sfacct/pretag.map: > > [ ... ] > > I did some test transfers but unfortunately I don't get anything aggregated > by dst_host but flows aggregated by src_host with ip addresses that do not > match the filters. > > [ ... ] > > The Sflow files in pcap format can be downloaded from dropbox via > http://dl.dropbox.com/u/20778197/sflow.pcap > > Cheers, > Bernd _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
