Hi Carl, Yes, from the output you posted i confirm the issue.
I have never dealed with Mikrotik myself but: in case you can add/remove 3rd party software - and install pmacct - pmacct can also act as a probe (sFlow, NetFlow, IPFIX) and report on arbitrary combinations of L2/L3/L4 primitives. Cheers, Paolo On Thu, May 17, 2012 at 09:03:59PM +0000, Carl Farrington wrote: > Hi Paolo. I have looked at the packets as you suggested, and decoded the > templates that are coming across, and I think you are correct. > Mikrotik mention something about the NetFlow (they call it Traffic-Flow), > actually coming from the INPUT chain of the Linux iptables firewall, or > something like that (I will check what I think I read). I wonder if this is > why there is no MAC address information. > FYI I have a dump here: http://www.css-networks.com/dump.bin > and a wireshark decode of that same dump here: > http://www.css-networks.com/output.txt > I'll ask on the Mikrotik forums to see if there's a solution, otherwise I > will just have to somehow marry up the MAC addresses from the DHCP handout. I > want to do some public WiFi hotspot stuff and the law requires that we log > people sending emails and their MAC addresses and stuff. > > Thanks for the great software by the way! > > cheers, > Carl > ________________________________________ > From: [email protected] > [[email protected]] on behalf of Paolo Lucente > [[email protected]] > Sent: 17 May 2012 18:41 > To: [email protected] > Subject: Re: [pmacct-discussion] missing (zero'd) src_mac and dst_mac with > nfacctd and mikrotik router (netflow v9) > > Hi Carl, > > Should you debug NetFlow v9 packets coming from the Mikrotik, do > you actually see MAC addresses being reported? What you describe > makes me thinking such information is not included. Let me know, > should the information be there it would be nice to get a brief > trace of the NetFlow export (full packet payload) to inspect it. > > Cheers, > Paolo > > On Thu, May 17, 2012 at 04:04:39PM +0000, Carl Farrington wrote: > > Hi. I wonder if anybody can help. > > I am using nfacctd as a netflow v9 -> mysql collector for a Mikrotik router > > (routerOS v5.16). > > I have added src_mac and dst_mac to the aggregate, but the mac addresses > > are just entered as zeros. > > Interestingly, before I added those to the aggregate, the src_msc and were > > being logged as 0:0:0:0:0:0, and after I added to the aggregate, it's > > showing as 00:00:00:00:00:00. > > I'm new to all this stuff really, but I wonder if you have any tips for > > troubleshooting? > > My nfacctd.conf looks like: > > daemonize: false > > aggregate_filter[newapp]: dst port 25 or 443 > > aggregate[newapp]: src_mac, dst_mac, src_port, dst_port, src_host, dst_host > > nfacctd_time_new: true > > plugins: mysql[newapp] > > sql_db: pmacct > > sql_table: acct > > sql_table_version: 1 > > sql_passwd: acleverpassword > > sql_user: pmacctdbuser > > sql_refresh_time: 90 > > sql_history: 5m > > sql_history_roundoff: mh > > > > Operating system is CentOS 5.7, x64. > > > > I had to compile with --disable-so. > > > > > > Thanks, > > > > Carl > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
