Hi Paolo. I have looked at the packets as you suggested, and decoded the templates that are coming across, and I think you are correct. Mikrotik mention something about the NetFlow (they call it Traffic-Flow), actually coming from the INPUT chain of the Linux iptables firewall, or something like that (I will check what I think I read). I wonder if this is why there is no MAC address information. FYI I have a dump here: http://www.css-networks.com/dump.bin and a wireshark decode of that same dump here: http://www.css-networks.com/output.txt I'll ask on the Mikrotik forums to see if there's a solution, otherwise I will just have to somehow marry up the MAC addresses from the DHCP handout. I want to do some public WiFi hotspot stuff and the law requires that we log people sending emails and their MAC addresses and stuff.
Thanks for the great software by the way! cheers, Carl ________________________________________ From: [email protected] [[email protected]] on behalf of Paolo Lucente [[email protected]] Sent: 17 May 2012 18:41 To: [email protected] Subject: Re: [pmacct-discussion] missing (zero'd) src_mac and dst_mac with nfacctd and mikrotik router (netflow v9) Hi Carl, Should you debug NetFlow v9 packets coming from the Mikrotik, do you actually see MAC addresses being reported? What you describe makes me thinking such information is not included. Let me know, should the information be there it would be nice to get a brief trace of the NetFlow export (full packet payload) to inspect it. Cheers, Paolo On Thu, May 17, 2012 at 04:04:39PM +0000, Carl Farrington wrote: > Hi. I wonder if anybody can help. > I am using nfacctd as a netflow v9 -> mysql collector for a Mikrotik router > (routerOS v5.16). > I have added src_mac and dst_mac to the aggregate, but the mac addresses are > just entered as zeros. > Interestingly, before I added those to the aggregate, the src_msc and were > being logged as 0:0:0:0:0:0, and after I added to the aggregate, it's showing > as 00:00:00:00:00:00. > I'm new to all this stuff really, but I wonder if you have any tips for > troubleshooting? > My nfacctd.conf looks like: > daemonize: false > aggregate_filter[newapp]: dst port 25 or 443 > aggregate[newapp]: src_mac, dst_mac, src_port, dst_port, src_host, dst_host > nfacctd_time_new: true > plugins: mysql[newapp] > sql_db: pmacct > sql_table: acct > sql_table_version: 1 > sql_passwd: acleverpassword > sql_user: pmacctdbuser > sql_refresh_time: 90 > sql_history: 5m > sql_history_roundoff: mh > > Operating system is CentOS 5.7, x64. > > I had to compile with --disable-so. > > > Thanks, > > Carl _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
