Hi Paolo, I have a trace that I did with the Fortinet engineers, that I'll try to send you privately along with other useful info I got from those guys.
Thanks. /Thomas On 2015-12-05 12:00, Paolo Lucente wrote: > Hi Thomas, > > I ack the fact pmacct is not handling any post* field types for bytes > and packets count. Can we follow-up privately on this; i would need > two things: 1) a trace of the NetFlow packets (including templates) > so to be able to replay it in lab; 2) a better explanation of what to > do with the post* fields values - i'd assume you want to pick those > instead of the regular packets and bytes fields. > > Cheers, > Paolo > > On Fri, Dec 04, 2015 at 02:53:49PM -0300, Thomas M Steenholdt wrote: >> Hi guys, >> >> I have set up a nfacctd collector, to receive flow info from FortiGate >> devices (and Cisco as well) in our network. >> >> The NetFlow numbers we get from the FortiGate appear strange though. >> Having processed everything with Fortinet support, it looks like nfacctd >> only picks up "octets" and "packets" but misses info from "postOctets" >> and "postPackets". >> >> With Fortinet support, we established a controlled session (isolated >> file download) and dumped netflow traffic (analyzed by Fortinet) for the >> entire session. Comparing numbers from the dump and the info that >> nfacctd stores in the database, the "octets" and "packets" matches >> exactly. But without getting the "post*" numbers with us, the total >> traffic does not reflect reality. >> >> sFlow with sfacctd works perfectly, but I need NetFlow for all devices. >> >> Is this a known problem or am I missing an important part of the >> configuration for this to work? Configuration looks like this: >> >> ----- >> ! nfacctd configuration >> ! >> ! >> ! >> daemonize: true >> syslog: daemon >> !debug: true >> pidfile: /var/run/nfacctd.pid >> >> ! >> ! interested in in- and outbound traffic >> aggregate[netflow1m]: peer_src_ip,src_host,dst_host >> aggregate[netflow1h]: peer_src_ip,src_host,dst_host >> >> ! interested only in normal traffic >> aggregate_filter[netflow1m]: net 10.0.0.0/8 or net 172.16.0.0/12 or net >> 192.168.0.0/16 >> aggregate_filter[netflow1h]: net 10.0.0.0/8 or net 172.16.0.0/12 or net >> 192.168.0.0/16 >> >> ! on this interface >> interface: eth0 >> nfacctd_ip: 10.10.10.10 >> nfacctd_port: 2055 >> nfacctd_time_new: true >> !nfacctd_renormalize: true >> >> ! >> ! storage methods >> plugins: mysql[netflow1m], mysql[netflow1h] >> >> !sql_host: localhost >> !sql_passwd: >> >> ! reduce the size of the insert/update clause >> sql_optimize_clauses: true >> >> ! ip addresses as integers >> sql_num_hosts: true >> >> ! locking style >> sql_locking_style: row >> >> sql_table[netflow1m]: netflow1m >> sql_table[netflow1h]: netflow1h >> >> ! refresh the db every 5 minutes >> sql_refresh_time[netflow1m]: 60 >> sql_refresh_time[netflow1h]: 300 >> >> ! accumulate values in each row for up to an hour >> sql_history[netflow1m]: 1m >> sql_history[netflow1h]: 1h >> >> ! try updates? >> sql_dont_try_update[netflow1m]: true >> sql_dont_try_update[netflow1h]: false >> >> ! create new rows on the minute, hour, day boundaries >> sql_history_roundoff[netflow1m]: m >> sql_history_roundoff[netflow1h]: h >> >> ! >> ! in case of emergency, log to this file >> ! DISABLED since it's not supported with BGP primitives (peer_src_ip) >> aggregate >> !sql_recovery_logfile: /var/lib/pmacct/recovery_nf_log >> ! >> ----- >> >> Thanks in advance. >> >> /Thomas >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
