Hi Chun Sing, On Sun, Jan 29, 2012 at 06:49:08PM +0800, Kerk Chun Sing wrote:
> What worries me is that I got couple of these lines, before seeing the > tables (with some numerical numbers). It kept repeating, is this normal? > > ====== > DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown > template 262 [::ffff:10.1.10.20:256]) > ====== This is OK. You should however see that only for a limited amount of time after having started nfacctd: NetFlow v9 is a templated-based protocol. Routers send templates to decode the actual data packets regularly; but until the first template comes in the collector doesn't know how to parse the packets. Hence the message you see above. So no worries. > Probably I will need to use customised mysql schemas instead of the > templates in /sql directory right? My advice is to check-point everything works for you (ie. you are able 'to see the numbers' from NetFlow ) with a plugin like memory or print. Once that is cleared out, move to the MySQL plugin (since that looks of interest to you). MAC addresses are supported from the very beginning, so you can use any of the default schemas; once you feel comfortable, sure, customize the schema for a better efficiency. Cheers, Paolo > Paolo Lucente wrote: >> Hi Chun Sing, >> >> It's valid that there are fields which are left numerical in the debug; >> i guess you ask because your L2 traffic is not being accounted (properly) >> by pmacct, right? If this is the case can you please say whether you see >> spurious data or nothing being accounted at all? >> >> Bottom line is L2 NetFlow is supported. If something is not working in >> a correct way, i'd be more than glad to assist you troubleshooting the >> issue. A good way to start could be sending me privately a trace of the >> full payload of your NetFlow datagrams (ie. using tpdump -s 1500) so >> that i can have a look and, if required, replay in lab. >> >> Let me know. >> >> Cheers, >> Paolo >> >> On Sun, Jan 29, 2012 at 12:00:45PM +0800, Kerk Chun Sing wrote: >>> Hi all, >>> >>> I'm new to pmacct, hope someone can shed some light on the symptom that >>> I'm seeing. >>> >>> I'm exporting L2 netflow with the following template, however from the >>> nfacctd debug log, some of entries are interpreted as "58" and "256". >>> Is there something that I will need to tweak? >>> >>> /chunsing >>> >>> =================== >>> hostname# show flow record netflow layer2-switched input >>> Flow record netflow layer2-switched input: >>> Description: layer2-switched input NetFlow >>> No. of users: 1 >>> Template ID: 262 >>> Fields: >>> match interface input >>> match interface output >>> match datalink mac source-address >>> match datalink mac destination-address >>> match datalink source-vlan-id >>> match datalink ethertype >>> match flow direction >>> collect counter bytes >>> collect counter packets >>> collect timestamp sys-uptime first >>> collect timestamp sys-uptime last >>> ==================== >>> >>> INFO ( default/core ): waiting for NetFlow data on :::9995 >>> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >>> template 262 [::ffff:10.1.10.20:256]) >>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >>> DEBUG ( default/core ): NfV9 template type : flow >>> DEBUG ( default/core ): NfV9 template ID : 260 >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): | field type | offset | size | >>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>> DEBUG ( default/core ): | direction | 8 | 1 | >>> DEBUG ( default/core ): | 256 | 9 | 2 | >>> DEBUG ( default/core ): | in bytes | 11 | 4 | >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >>> DEBUG ( default/core ): >>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >>> DEBUG ( default/core ): NfV9 template type : flow >>> DEBUG ( default/core ): NfV9 template ID : 262 >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): | field type | offset | size | >>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>> DEBUG ( default/core ): | in src mac | 8 | 6 | >>> DEBUG ( default/core ): | out dst mac | 14 | 6 | >>> DEBUG ( default/core ): | 58 | 20 | 2 | >>> DEBUG ( default/core ): | direction | 22 | 1 | >>> DEBUG ( default/core ): |256 | 23 | 2 | >>> DEBUG ( default/core ): | in bytes | 25 | 4 | >>> DEBUG ( default/core ): | in packets | 29 | 4 | >>> DEBUG ( default/core ): | last switched | 37 | 4 | >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >>> DEBUG ( default/core ): >>> >> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
