Hi Mattias, From what i read so far I believe the pesky bit here is that you are using pmacctd (which is the libpcap-based daemon) rather than nfacctd (which is the NetFlow collector daemon, which collects and analyses/dissects NetFlow packets).
Cheers, Paolo On Fri, Aug 19, 2016 at 12:37:39PM +0000, Mattias Larsson wrote: > Hi Markus, > > Not sure what you mean with that the server does NOT accept/process the > packets due to it target to another MAC address. > > I thought the pmacctd used the libpcap the same way that tcpdump does and > analyses packets. But with tcpdump I have to use -vvv the all of the packet. > > This is what I get when i'm writing to plain text-file. > > SRC_IP,DST_IP,SRC_PORT,DST_PORT,PROTOCOL,TOS,PACKETS,FLOWS,BYTES > 192.168.1.1,172.16.0.100,52043,2055,udp,0,10,1,2416 > > 192.168.1.1 = router > 172.16.0.100 = Netflow-server (not same server where I'm running pmacct on) > > My server with pmacct has an interface (eth2) without any ip configurations > connected to the same switch as the netflow-server. The server recieves all > udp/2055 packets from the switch (SPAN) > > Iptables are disabled on the server. > > > /Mattias > > > On Fri, Aug 19, 2016 at 1:00 PM Markus Weber <[email protected]> wrote: > > > Hi Matthias, > > > > could it be that your hosts does NOT accept/process the packets as those > > are targeted to another MAC address? If you run wireshark/tcpdump the > > interface to put into promiscuous mode to get them ... > > > > If all have the same dst mac just change your interface facing the SPAN > > port to it. > > > > > > Other than that: any host "firewall" rules active? > > > > > > Markus > > > > > > On 19.08.2016 11:21, Jentsch, Mario wrote: > > > > Hi Mattias, > > > > > > > > do you have a drawing of your setup? I have to admit that it is unclear to > > me… > > > > > > > > Thanks, > > > > Mario > > > > > > > > *From:* pmacct-discussion [mailto:[email protected] > > <[email protected]>] *On Behalf Of *Mattias Larsson > > *Sent:* Thursday, August 18, 2016 1:36 PM > > *To:* [email protected] > > *Subject:* [pmacct-discussion] Only packets from router to netflow server > > > > > > > > > > > > I use a SPAN port on my switch to capture all netflow (udp 2055) packets > > and send it to a interface where my pmacct server has one extra interface > > connected to. > > > > > > > > But when I look on the traffic/packets that pmacctd genereates it seems > > only be the IP packets between my router and netflow server. It seems it > > not decodes the cisco netflow payload/data. > > > > > > > > When I do a tcpdump on the interface and look at it with wireshark I can > > see see the flows. > > > > > > > > Any suggestion what I'm doing wrong? > > > > > > > > Thanks in advance! > > > > > > Mattias > > > > > > _______________________________________________ > > pmacct-discussion mailing listhttp://www.pmacct.net/#mailinglists > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
