Hi Thomas, I ack the fact pmacct is not handling any post* field types for bytes and packets count. Can we follow-up privately on this; i would need two things: 1) a trace of the NetFlow packets (including templates) so to be able to replay it in lab; 2) a better explanation of what to do with the post* fields values - i'd assume you want to pick those instead of the regular packets and bytes fields.
Cheers, Paolo On Fri, Dec 04, 2015 at 02:53:49PM -0300, Thomas M Steenholdt wrote: > Hi guys, > > I have set up a nfacctd collector, to receive flow info from FortiGate > devices (and Cisco as well) in our network. > > The NetFlow numbers we get from the FortiGate appear strange though. > Having processed everything with Fortinet support, it looks like nfacctd > only picks up "octets" and "packets" but misses info from "postOctets" > and "postPackets". > > With Fortinet support, we established a controlled session (isolated > file download) and dumped netflow traffic (analyzed by Fortinet) for the > entire session. Comparing numbers from the dump and the info that > nfacctd stores in the database, the "octets" and "packets" matches > exactly. But without getting the "post*" numbers with us, the total > traffic does not reflect reality. > > sFlow with sfacctd works perfectly, but I need NetFlow for all devices. > > Is this a known problem or am I missing an important part of the > configuration for this to work? Configuration looks like this: > > ----- > ! nfacctd configuration > ! > ! > ! > daemonize: true > syslog: daemon > !debug: true > pidfile: /var/run/nfacctd.pid > > ! > ! interested in in- and outbound traffic > aggregate[netflow1m]: peer_src_ip,src_host,dst_host > aggregate[netflow1h]: peer_src_ip,src_host,dst_host > > ! interested only in normal traffic > aggregate_filter[netflow1m]: net 10.0.0.0/8 or net 172.16.0.0/12 or net > 192.168.0.0/16 > aggregate_filter[netflow1h]: net 10.0.0.0/8 or net 172.16.0.0/12 or net > 192.168.0.0/16 > > ! on this interface > interface: eth0 > nfacctd_ip: 10.10.10.10 > nfacctd_port: 2055 > nfacctd_time_new: true > !nfacctd_renormalize: true > > ! > ! storage methods > plugins: mysql[netflow1m], mysql[netflow1h] > > !sql_host: localhost > !sql_passwd: > > ! reduce the size of the insert/update clause > sql_optimize_clauses: true > > ! ip addresses as integers > sql_num_hosts: true > > ! locking style > sql_locking_style: row > > sql_table[netflow1m]: netflow1m > sql_table[netflow1h]: netflow1h > > ! refresh the db every 5 minutes > sql_refresh_time[netflow1m]: 60 > sql_refresh_time[netflow1h]: 300 > > ! accumulate values in each row for up to an hour > sql_history[netflow1m]: 1m > sql_history[netflow1h]: 1h > > ! try updates? > sql_dont_try_update[netflow1m]: true > sql_dont_try_update[netflow1h]: false > > ! create new rows on the minute, hour, day boundaries > sql_history_roundoff[netflow1m]: m > sql_history_roundoff[netflow1h]: h > > ! > ! in case of emergency, log to this file > ! DISABLED since it's not supported with BGP primitives (peer_src_ip) > aggregate > !sql_recovery_logfile: /var/lib/pmacct/recovery_nf_log > ! > ----- > > Thanks in advance. > > /Thomas > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
