Hello, following and older thread: On 10.02.2017 14:54, Luca Deri wrote: > Hi Jesse > please see below > > On 02/10/2017 02:08 PM, Jesse Alexander wrote: >> First issue: >> We are using cento to send netflow to multiple collectors for analysis. The >> nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as >> version 5 netflow, which has a field for the interface. >> >> Bytes 12-13, and 14-15 in the flow record >> 12-13 | input | SNMP index of input interface >> 14-15 | output | SNMP index of output interface >> All of the flow packets are coming through with either "1" or "2" for those >> values, which is causing problems with our Kentik service and an internal >> collector. >> >> It appears this has been brought up before, but there isn't a solution >> mentioned. >> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/ >> >> How do we get cento to correctly report the interface ID? > > In the current cento (devel) you can do > --iface-id <in>:<out> | Set input/output interfaceId > in exported flows > where > - interface indexes and (router) MAC/IP addresses > Flag --iface-id is used to specify the SNMP interface identifiers > for emitted flows. > However using --if-networks it is possible to specify an interface > identifier to which > a MAC address or IP network is bound. The syntax of --if-networks is: > <MAC|IP/mask>@<interfaceId> where multiple entries can be separated > by a comma (,). > Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or > --if-networks @<filename> where <filename> is a file path containing > the networks > specified using the above format. > It doesn't work for me. I have the same issue as Jesse - all flows from cento are exported with if interface 1, out interface 2.
I mirror traffic from router to the following two interfaces on cento box:
3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
I tried to set the interface indexes to 5 and 6 using:
--if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
However, I still see only 1 for incomming and 2 for outgoing index in
flow data:
Flow Record:
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2
Running cento --version
v.1.3.171116
Any idea what I am doing wrong?
Thanks,
Matej
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
