Hi Paolo, On Sat, Feb 22, 2020 at 4:18 PM Paolo Lucente <pa...@pmacct.net> wrote:
> > Hi Alex, > > Is it possible with the new setup - the one where pre_tag_map does not > match anything - the traffic is VLAN-tagged (or MPLS-labelled)? If so, > you should adjust filters accordingly and add 'vlan and', ie. "vlan and > src net 192.168.28.0/24 or vlan and src net 192.168.100.0/24". > The traffic is not VLAN or MPLS. It is simple one. I confirm I can collect traffic when removing the pretag directives. Also when stopping uacctd, I can capture traffic at nflog:1 interface. I simplified the configuration as below: ! daemonize: true promisc: false uacctd_group: 1 ! pre_tag_map: pretag2.map pre_tag_filter[print_wan0_in]: 1 pre_tag_filter[print_wan0_out]: 2 ! !------------------------------------------------- plugins: print[print_wan0_in], print[print_wan0_out] print_refresh_time: 10 print_history: 15m print_output_file_append: true ! print_output[print_wan0_in]: csv print_output[print_wan0_out]: csv print_output_file[print_wan0_in]: traffic-wan0-in.csv print_output_file[print_wan0_out]: traffic-wan0-out.csv ! aggregate[print_wan0_in]: tag, src_host, dst_host, src_port, dst_port, proto aggregate[print_wan0_out]: tag, src_host, dst_host, src_port, dst_port, proto ! with pretag2.map set_tag=1 filter='src net 192.168.28.0/24' set_tag=2 filter='dst net 192.168.28.0/24' As soon as I enable the pretag directives as below, I do not see any traffic being collected from uacctd at NFLOG goup 1 pre_tag_map: pretag2.map pre_tag_filter[print_wan0_in]: 1 pre_tag_filter[print_wan0_out]: 2 I am running pmacct 1.7.4. > Paolo > > On Fri, Feb 21, 2020 at 01:04:25PM +0200, Alex K wrote: > > Working further on this, it seems that for pmacct is sufficient to filter > > traffic using only the pre_tag_filter, thus no need for the aggregation > > filters. > > The issue with this setup though is that I loose the information of the > > pre_nat source IP address when monitoring at the WAN interfaces. Due to > > this I am switching to uacctd as following: > > > > ! > > daemonize: true > > promisc: false > > uacctd_group: 1 > > !networks_file: networks.lst > > !ports_file: ports.lst > > ! > > pre_tag_map: pretag2.map > > pre_tag_filter[print_wan0_in]: 1 > > pre_tag_filter[print_wan0_out]: 2 > > pre_tag_filter[wan0_in]: 1 > > pre_tag_filter[wan0_out]: 2 > > ! > > plugins: print[print_wan0_in], print[print_wan0_out], mysql[wan0_in], > > mysql[wan0_out] > > plugin_pipe_size[wan0_in]: 1024000 > > plugin_pipe_size[wan0_out]: 1024000 > > print_refresh_time: 10 > > print_history: 15m > > print_output_file_append: true > > ! > > print_output[print_wan0_in]: csv > > print_output_file[print_wan0_in]: in_traffic.csv > > print_output[print_wan0_out]: csv > > print_output_file[print_wan0_out]: out_traffic.csv > > ! > > aggregate[print_wan0_in]: dst_host, src_port, dst_port, proto > > aggregate[print_wan0_out]: src_host, src_port, dst_port, proto > > ! > > sql_table[wan0_in]: traffic_wan0_in_%Y%m%d_%H%M > > sql_table[wan0_out]: traffic_wan0_out_%Y%m%d_%H%M > > ! > > sql_table_schema[wan0_in]: traffic_wan0_in.schema > > sql_table_schema[wan0_out]: traffic_wan0_out.schema > > ! > > sql_host: localhost > > sql_db : uacct > > sql_user : uacct > > sql_passwd: uacct > > sql_refresh_time: 30 > > sql_optimize_clauses: true > > sql_history : 24h > > sql_history_roundoff: mhd > > ! > > aggregate[wan0_in]: dst_host, src_port, dst_port, proto > > aggregate[wan0_out]: src_host, src_port, dst_port, proto > > > > Where pretag2.map: > > set_tag=1 filter='src net 192.168.28.0/24 or src net 192.168.100.0/24' > > set_tag=2 filter='dst net 192.168.28.0/24 or dst net 192.168.100.0/24' > > > > The issue I have with the above config is that no traffic is being > > collected at all. I confirm that when removing the pre_tag filters, > traffic > > is collected, though it is not sorted per direction as I would like to > > have. > > Can I use pre_tag_map and pre_tag_filter with uacctd? I don't see any > > examples for uacctd at > > https://github.com/pmacct/pmacct/blob/master/examples/pretag.map.example > . > > > > Thanx, > > Alex > > > > On Thu, Feb 20, 2020 at 6:33 PM Alex K <rightkickt...@gmail.com> wrote: > > > > > Hi all, > > > > > > I have a router with multiple interfaces and will need to account > traffic > > > at its several WAN interfaces. My purpose is toaccount the traffic > with the > > > tuple details and the direction. > > > > > > As a test I have compiled the following simple configuration for > pmacctd: > > > > > > ! > > > daemonize: true > > > plugins: print[wan0_in], print[wan0_out] > > > print_refresh_time: 10 > > > print_history: 15m > > > ! > > > print_output[wan0_in]: csv > > > print_output_file[wan0_in]: in_traffic.csv > > > print_output[wan0_out]: csv > > > print_output_file[wan0_out]: out_traffic.csv > > > ! > > > aggregate[wan0_in]: src_host, dst_host, src_port, dst_port, tag > > > aggregate[wan0_out]: src_host, dst_host, src_port, dst_port, tag > > > ! > > > pre_tag_filter[wan0_in]:1 > > > pre_tag_filter[wan0_out]:2 > > > ! > > > pcap_interface: eth0 > > > pre_tag_map: pretag.map > > > networks_file: networks.lst > > > ports_file: ports.lst > > > ! > > > > > > where pretag.map is: > > > set_tag=1 filter='ether dst 52:54:00:69:a6:0b' > > > set_tag=2 filter='ether src 52:54:00:69:a6:0b' > > > > > > and networks.lst is: > > > 10.100.100.0/24 > > > > > > It seems that the details output at the CSV are correctly filtered > > > according to the tag, thus recording the direction also, based on the > MAC > > > address of the WAN0 interface. > > > > > > Is this the correct approach to achieve this or is there any other > > > recommended way? Do I need to use aggregate_filters? > > > > > > Also, although I have set a network filter to capture only > 10.100.100.0/24, > > > I observe several networks in/out being collected, indicating that the > > > network_file directive is ignored or I have misunderstood its purpose. > My > > > purpose it to collect traffic only generated from subnets that belong > to > > > configured interfaces of the router. > > > > > > Thanx for your feedback! > > > Alex > > > > > > > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
