*edit* created file
nfacctd.conf On Wed, Feb 1, 2012 at 8:01 PM, johan lotter <[email protected]> wrote: > Thanks Paolo > > Iv created a file called nfacct.conf > placed it in the same directory as pmacct.conf > edited as follows: > > ! > daemonize: true > plugins: mysql > aggregate: sum_host > nfacctd_port: 5678 > sql_refresh_time: 10 > sql_history: 10m > sql_history_roundoff: mh > sql_table_version: 4 > ! .. > > executed with nfacctd -f nfacctd.conf > enabled Netflow (Traffic-Flow on my router) and told it to send > traffic to IP address of listening NIC on port 5678 > > Yet I'm not receiving and data > > Any help re this would very very much appreciated as quite new to > Linux and scripting etc. > > Thanks > > > > > On Sun, Jan 29, 2012 at 12:49 PM, <[email protected]> > wrote: >> Send pmacct-discussion mailing list submissions to >> [email protected] >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://www.pmacct.net/mailman/listinfo/pmacct-discussion >> or, via email, send a message with subject or body 'help' to >> [email protected] >> >> You can reach the person managing the list at >> [email protected] >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of pmacct-discussion digest..." >> >> Today's Topics: >> >> 1. Re: NetFlow (Paolo Lucente) >> 2. Re: IPv4 vs IPv6 accounting (Michal Ludvig) >> 3. Re: IPv4 vs IPv6 accounting (Michal Ludvig) >> 4. Re: IPv4 vs IPv6 accounting (Paolo Lucente) >> 5. Re: sql_history and sql_refresh_time (Paolo Lucente) >> 6. Is layer2 netflow supported? (Kerk Chun Sing) >> 7. Re: Is layer2 netflow supported? (Paolo Lucente) >> 8. Re: Is layer2 netflow supported? (Kerk Chun Sing) >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <[email protected]> >> To: [email protected] >> Cc: >> Date: Fri, 27 Jan 2012 00:08:21 +0000 >> Subject: Re: [pmacct-discussion] NetFlow >> Hi Johan, >> >> Stick more to the example in section V of that same document, the one >> revolving around nfacctd (your case) and sfacctd. Two issues i can see >> are: 1) you should use nfacctd daemon (NetFlow collector) rather than >> pmacctd (which is the daemon to read data via libcap library, ie. off >> a mirror port) and 2) you should use memory, print or one of the SQL >> plugins rather than nfprobe (which is aimed at letting pmacct export >> NetFlow data to remote collectors. Hope this helps. >> >> Cheers, >> Paolo >> >> On Thu, Jan 26, 2012 at 11:19:11AM +0200, johan lotter wrote: >>> Hi >>> >>> Am trying to get my Mikrotik Router Board to send traffic to pmacct >>> using Traffic-Flow which is compatible with NetFLow. >>> >>> Have configured my Router accordingly. >>> >>> And configured >>> >>> /etc/pmacct/pmacctd.conf >>> >>> using the below guide >>> >>> http://wiki.pmacct.net/OfficialExamples >>> >>> So it looks as follows: >>> >>> >>> ! >>> daemonize: true >>> interface: eth1 >>> aggregate: src_host, dst_host, src_port, dst_port, proto, tos >>> plugins: nfprobe >>> nfprobe_receiver: 192.168.88.150:2100 >>> nfprobe_version: 5 >>> ! nfprobe_engine: 1:1 >>> ! nfprobe_timeouts: tcp=120:maxlife=3600 >>> ! >>> ! networks_file: /path/to/networks.lst >>> ! classifiers: /path/to/classifiers/ >>> ! snaplen: 700 >>> !... >>> >>> What do I need to change? >>> >>> Thanks >>> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> >> >> ---------- Forwarded message ---------- >> From: Michal Ludvig <[email protected]> >> To: Paolo Lucente <[email protected]>, [email protected] >> Cc: >> Date: Fri, 27 Jan 2012 13:36:35 +1300 >> Subject: Re: [pmacct-discussion] IPv4 vs IPv6 accounting >> Hi Paolo, >> >> On 01/27/2012 12:58 PM, Paolo Lucente wrote: >>> >>> plugins: v4, v6 >>> aggregate_filter[v4]: ip >>> aggregate_filter[v6]: ip6 >>> aggregate[v4]: none >>> aggregate[v6]: none >> >> >> thanks for that. So my config now looks like this: >> >> ! debug: true >> daemonize: true >> interface: vlan120, vlan121, vlan128 >> plugins: v4, v6 >> aggregate_filter[v4]: ip >> aggregate_filter[v6]: ip6 >> aggregate[v4]: none >> aggregate[v6]: none >> >> But fails upon startup: >> >> ~ # pmacctd -f pmacct-v4v6.conf >> ERROR ( pmacct-v4v6.conf ): Unknown plugin type: v4. Ignoring. >> ERROR ( pmacct-v4v6.conf ): Unknown plugin type: v6. Ignoring. >> WARN ( pmacct-v4v6.conf ): No plugin has been activated; defaulting to >> in-memory table. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v4'. Line 5 ignored. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v6'. Line 6 ignored. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v4'. Line 7 ignored. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v6'. Line 8 ignored. >> >> Sorry I'm a pmacct newbie and may need a bit of a hand-holding :) >> >> Thanks >> >> Mike >> >> >> >> >> ---------- Forwarded message ---------- >> From: Michal Ludvig <[email protected]> >> To: [email protected] >> Cc: >> Date: Fri, 27 Jan 2012 13:45:49 +1300 >> Subject: Re: [pmacct-discussion] IPv4 vs IPv6 accounting >> On 01/27/2012 01:36 PM, Michal Ludvig wrote: >>> >>> Hi Paolo, >>> >>> On 01/27/2012 12:58 PM, Paolo Lucente wrote: >>>> >>>> plugins: v4, v6 >>>> aggregate_filter[v4]: ip >>>> aggregate_filter[v6]: ip6 >>>> aggregate[v4]: none >>>> aggregate[v6]: none >>> >>> >>> thanks for that. >> >> >> Ah, got it working now: >> >> ! debug: true >> daemonize: false >> interface: vlan120 >> plugins: memory[v4], memory[v6] >> aggregate_filter[v4]: ip >> aggregate_filter[v6]: ip6 >> aggregate[v4]: none >> aggregate[v6]: none >> imt_path[v4]: /tmp/pmacct-v4.pipe >> imt_path[v6]: /tmp/pmacct-v6.pipe >> >> One last thing .. can I somehow put more interfaces in there and have the >> v4/v6 stats per interface? >> >> Thanks >> >> Mike >> >> >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <[email protected]> >> To: [email protected] >> Cc: >> Date: Fri, 27 Jan 2012 03:15:30 +0000 >> Subject: Re: [pmacct-discussion] IPv4 vs IPv6 accounting >> Hi Mike, >> >> Great you got it working. >> >> On Fri, Jan 27, 2012 at 01:45:49PM +1300, Michal Ludvig wrote: >> >>> One last thing .. can I somehow put more interfaces in there and have >>> the v4/v6 stats per interface? >> >> Sorry for not having picked your question up in my previous email: >> no, you must have a pmacctd process running per interface. >> >> Cheers, >> Paolo >> >> >> >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <[email protected]> >> To: [email protected] >> Cc: >> Date: Fri, 27 Jan 2012 07:18:07 +0000 >> Subject: Re: [pmacct-discussion] sql_history and sql_refresh_time >> Hi Yossi, >> >> On Thu, Jan 26, 2012 at 05:17:20AM -0800, Yossi Ozani wrote: >> >>> - sql_history - "store" information as long as N time units . N is the >>> time slot(1m or 1h or ....) >> >> sql_history chops traffic aggregates into time-bins. If primitives that are >> selected via the 'aggregate' directive define a spatial aggregation, then >> sql_history defines a further dimension - temporal aggregation. >> >>> - sql_refresh_time - define a timer which trigger a procedure which, in >>> generally, copy the data stored in sql_history to my plugin(e.g. MySQL) >> >> Data gathered from the network is aggregated and cached in memory. The value >> of sql_refresh_time defines the time data is cached in memory before being >> written to the backend (ie. a MySQL database). While the two directives are >> independent, and unless some corner scenario is to be covered, recommendation >> is to let them coincide to optimize performances, ie. avoid issuing UPDATE >> SQL queries. >> >> Cheers, >> Paolo >> >> >> >> >> ---------- Forwarded message ---------- >> From: Kerk Chun Sing <[email protected]> >> To: [email protected] >> Cc: >> Date: Sun, 29 Jan 2012 12:00:45 +0800 >> Subject: [pmacct-discussion] Is layer2 netflow supported? >> Hi all, >> >> I'm new to pmacct, hope someone can shed some light on the symptom that I'm >> seeing. >> >> I'm exporting L2 netflow with the following template, however from the >> nfacctd debug log, some of entries are interpreted as "58" and "256". >> Is there something that I will need to tweak? >> >> /chunsing >> >> =================== >> hostname# show flow record netflow layer2-switched input >> Flow record netflow layer2-switched input: >> Description: layer2-switched input NetFlow >> No. of users: 1 >> Template ID: 262 >> Fields: >> match interface input >> match interface output >> match datalink mac source-address >> match datalink mac destination-address >> match datalink source-vlan-id >> match datalink ethertype >> match flow direction >> collect counter bytes >> collect counter packets >> collect timestamp sys-uptime first >> collect timestamp sys-uptime last >> ==================== >> >> INFO ( default/core ): waiting for NetFlow data on :::9995 >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 260 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | direction | 8 | 1 | >> DEBUG ( default/core ): | 256 | 9 | 2 | >> DEBUG ( default/core ): | in bytes | 11 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >> DEBUG ( default/core ): >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 262 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | in src mac | 8 | 6 | >> DEBUG ( default/core ): | out dst mac | 14 | 6 | >> DEBUG ( default/core ): | 58 | 20 | 2 | >> DEBUG ( default/core ): | direction | 22 | 1 | >> DEBUG ( default/core ): | 256 | 23 | 2 | >> DEBUG ( default/core ): | in bytes | 25 | 4 | >> DEBUG ( default/core ): | in packets | 29 | 4 | >> DEBUG ( default/core ): | last switched | 37 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >> DEBUG ( default/core ): >> >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <[email protected]> >> To: [email protected] >> Cc: >> Date: Sun, 29 Jan 2012 07:40:19 +0000 >> Subject: Re: [pmacct-discussion] Is layer2 netflow supported? >> Hi Chun Sing, >> >> It's valid that there are fields which are left numerical in the debug; >> i guess you ask because your L2 traffic is not being accounted (properly) >> by pmacct, right? If this is the case can you please say whether you see >> spurious data or nothing being accounted at all? >> >> Bottom line is L2 NetFlow is supported. If something is not working in >> a correct way, i'd be more than glad to assist you troubleshooting the >> issue. A good way to start could be sending me privately a trace of the >> full payload of your NetFlow datagrams (ie. using tpdump -s 1500) so >> that i can have a look and, if required, replay in lab. >> >> Let me know. >> >> Cheers, >> Paolo >> >> On Sun, Jan 29, 2012 at 12:00:45PM +0800, Kerk Chun Sing wrote: >>> Hi all, >>> >>> I'm new to pmacct, hope someone can shed some light on the symptom that >>> I'm seeing. >>> >>> I'm exporting L2 netflow with the following template, however from the >>> nfacctd debug log, some of entries are interpreted as "58" and "256". >>> Is there something that I will need to tweak? >>> >>> /chunsing >>> >>> =================== >>> hostname# show flow record netflow layer2-switched input >>> Flow record netflow layer2-switched input: >>> Description: layer2-switched input NetFlow >>> No. of users: 1 >>> Template ID: 262 >>> Fields: >>> match interface input >>> match interface output >>> match datalink mac source-address >>> match datalink mac destination-address >>> match datalink source-vlan-id >>> match datalink ethertype >>> match flow direction >>> collect counter bytes >>> collect counter packets >>> collect timestamp sys-uptime first >>> collect timestamp sys-uptime last >>> ==================== >>> >>> INFO ( default/core ): waiting for NetFlow data on :::9995 >>> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >>> template 262 [::ffff:10.1.10.20:256]) >>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >>> DEBUG ( default/core ): NfV9 template type : flow >>> DEBUG ( default/core ): NfV9 template ID : 260 >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): | field type | offset | size | >>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>> DEBUG ( default/core ): | direction | 8 | 1 | >>> DEBUG ( default/core ): | 256 | 9 | 2 | >>> DEBUG ( default/core ): | in bytes | 11 | 4 | >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >>> DEBUG ( default/core ): >>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >>> DEBUG ( default/core ): NfV9 template type : flow >>> DEBUG ( default/core ): NfV9 template ID : 262 >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): | field type | offset | size | >>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>> DEBUG ( default/core ): | in src mac | 8 | 6 | >>> DEBUG ( default/core ): | out dst mac | 14 | 6 | >>> DEBUG ( default/core ): | 58 | 20 | 2 | >>> DEBUG ( default/core ): | direction | 22 | 1 | >>> DEBUG ( default/core ): |256 | 23 | 2 | >>> DEBUG ( default/core ): | in bytes | 25 | 4 | >>> DEBUG ( default/core ): | in packets | 29 | 4 | >>> DEBUG ( default/core ): | last switched | 37 | 4 | >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >>> DEBUG ( default/core ): >>> >> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> >> >> ---------- Forwarded message ---------- >> From: Kerk Chun Sing <[email protected]> >> To: Paolo Lucente <[email protected]>, [email protected] >> Cc: >> Date: Sun, 29 Jan 2012 18:49:08 +0800 >> Subject: Re: [pmacct-discussion] Is layer2 netflow supported? >> Hi Paolo, >> >> Thanks for the reply. >> >> What worries me is that I got couple of these lines, before seeing the >> tables (with some numerical numbers). It kept repeating, is this normal? >> >> ====== >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> ====== >> >> Probably I will need to use customised mysql schemas instead of the >> templates in /sql directory right? >> >> /chunsing >> >> Paolo Lucente wrote: >> >> Hi Chun Sing, >> >> It's valid that there are fields which are left numerical in the debug; >> i guess you ask because your L2 traffic is not being accounted (properly) >> by pmacct, right? If this is the case can you please say whether you see >> spurious data or nothing being accounted at all? >> >> Bottom line is L2 NetFlow is supported. If something is not working in >> a correct way, i'd be more than glad to assist you troubleshooting the >> issue. A good way to start could be sending me privately a trace of the >> full payload of your NetFlow datagrams (ie. using tpdump -s 1500) so >> that i can have a look and, if required, replay in lab. >> >> Let me know. >> >> Cheers, >> Paolo >> >> On Sun, Jan 29, 2012 at 12:00:45PM +0800, Kerk Chun Sing wrote: >> >> Hi all, >> >> I'm new to pmacct, hope someone can shed some light on the symptom that >> I'm seeing. >> >> I'm exporting L2 netflow with the following template, however from the >> nfacctd debug log, some of entries are interpreted as "58" and "256". >> Is there something that I will need to tweak? >> >> /chunsing >> >> =================== >> hostname# show flow record netflow layer2-switched input >> Flow record netflow layer2-switched input: >> Description: layer2-switched input NetFlow >> No. of users: 1 >> Template ID: 262 >> Fields: >> match interface input >> match interface output >> match datalink mac source-address >> match datalink mac destination-address >> match datalink source-vlan-id >> match datalink ethertype >> match flow direction >> collect counter bytes >> collect counter packets >> collect timestamp sys-uptime first >> collect timestamp sys-uptime last >> ==================== >> >> INFO ( default/core ): waiting for NetFlow data on :::9995 >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 260 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | direction | 8 | 1 | >> DEBUG ( default/core ): | 256 | 9 | 2 | >> DEBUG ( default/core ): | in bytes | 11 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >> DEBUG ( default/core ): >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 262 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | in src mac | 8 | 6 | >> DEBUG ( default/core ): | out dst mac | 14 | 6 | >> DEBUG ( default/core ): | 58 | 20 | 2 | >> DEBUG ( default/core ): | direction | 22 | 1 | >> DEBUG ( default/core ): |256 | 23 | 2 | >> DEBUG ( default/core ): | in bytes | 25 | 4 | >> DEBUG ( default/core ): | in packets | 29 | 4 | >> DEBUG ( default/core ): | last switched | 37 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >> DEBUG ( default/core ): >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
