Hi Pat, It should be the BGP daemon and the NetFlow exporters have different IP addresses and pmacct needs an hint how to correlate them. This is done with bgp_agent_map. In your case i believe even a one-liner will suffice:
bgp_ip=184.150.172.190 ip=0.0.0.0/0 Don't know if "I would like to have all traffic coming from these devices to be marked as coming from/going to a particular AS" should read as you want to override BGP for some prefixes or so. Should this be the case, keeping nfacctd_net and nfacctd_as_new on 'fallback', you can resort to networks_file for that. Cheers, Paolo On Fri, Jul 18, 2014 at 01:24:25PM -0700, THE MIGHTY VEXORG wrote: > Hello, > I have netflow coming from a few devices where the source AS and > destination AS both show up as 0 and is confirmed with tcpdump captures, > so nfacctd dutifully stores these in the database with zeroes. I would > like to have all traffic coming from these devices to be marked as > coming from/going to a particular AS. How can I do that? I'm running > nfacctd 1.5.0rc3. BGP daemon appears to be working correctly as I see > routing information show up in BGP daemon msglog. Below is my config: > > daemonize: true > pidfile: /var/run/nfacctd.pid > logfile: /tmp/nfacctd.log > nfacctd_allow_file: /etc/pmacct/nfacctd.allow > > aggregate[flows]: src_as, dst_as, peer_src_ip, peer_dst_ip, as_path > interface: eth0 > > nfacctd_port: 9995 > nfacctd_disable_checks: true > nfacctd_time_new: true > nfacctd_as_new: fallback > nfacctd_net: fallback > > bgp_daemon: true > bgp_daemon_ip: X.X.X.X > bgp_daemon_port: 179 > bgp_daemon_msglog: true > bgp_peer_src_as_type: bgp > bgp_src_as_path_type: bgp > > plugins: pgsql[flows] > plugin_buffer_size: 102400 > plugin_pipe_size: 10240000 > > sql_host[flows]: localhost > sql_user[flows]: pmacct > sql_passwd[flows]: XXXX > sql_refresh_time[flows]: 300 > sql_optimize_clauses[flows]: true > sql_history[flows]: 5m > sql_history_roundoff[flows]: mhd > sql_table_version[flows]: 1 > sql_table_type[flows]: bgp > sql_dont_try_update[flows]: true > sql_use_copy[flows]: true > > BGP daemon snippet, showing it is receiving routes: > > Jul 17 11:19:17 INFO ( default/core/BGP ): [Id: 184.150.172.190] u > Prefix: '128.73.86.0/24' Path_Id: '0' Path: '6453 1299 1273 3216 3216 > 3216 8402' Comms: '577:55 577:4110 577:5504 577:6453 577:10100 577:21136 > 577:32426 5780:6539' EComms: '' LP: '100' MED: '0' Nexthop: '64.230.195.164' > Jul 17 11:19:17 INFO ( default/core/BGP ): [Id: 184.150.172.190] u > Prefix: '164.85.32.0/19' Path_Id: '0' Path: '6453 6762 23074' Comms: > '577:55 577:4110 577:5504 577:6453 577:10100 577:21136 577:32426 > 5780:6539' EComms: '' LP: '100' MED: '0' Nexthop: '64.230.195.164' > Jul 17 11:19:17 INFO ( default/core/BGP ): [Id: 184.150.172.190] u > Prefix: '109.251.178.0/24' Path_Id: '0' Path: '3549 21011 31148 31148 > 31148' Comms: '577:55 577:5604 577:11100 577:22111' EComms: '' LP: '110' > MED: '0' Nexthop: '64.230.195.155' > Jul 17 11:19:17 INFO ( default/core/BGP ): [Id: 184.150.172.190] u > Prefix: '188.231.196.0/24' Path_Id: '0' Path: '3549 21011 31148' Comms: > '577:55 577:5604 577:11100 577:22111' EComms: '' LP: '110' MED: '0' > Nexthop: '64.230.195.155' > > database snippet: > > Jul 17 11:20:01 INFO ( flows/pgsql ): *** Purging cache - START (PID: > 8685) *** > Jul 17 11:20:01 DEBUG ( flows/pgsql ): COPY acct_bgp (stamp_updated, > stamp_inserted, as_src, as_dst, as_path, peer_ip_src, peer_ip_dst, > packets, bytes) FROM STDIN DELIMITER ',' > Jul 17 11:20:01 DEBUG ( flows/pgsql ): 2014-07-17 11:20:01,2014-07-17 > 11:15:00,0,0,,64.230.15.243,64.230.200.244,5139,7417346 > Jul 17 11:20:01 DEBUG ( flows/pgsql ): 2014-07-17 11:20:01,2014-07-17 > 11:15:00,0,0,,64.230.15.243,64.230.15.132,4636,6674365 > Jul 17 11:20:01 DEBUG ( flows/pgsql ): 2014-07-17 11:20:01,2014-07-17 > 11:15:00,0,0,,64.230.15.243,64.230.193.151,3933,5720197 > > > Thanks, > Pat > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
