Matej, can you please share the flow command line you are using? Luca
> On 18 Nov 2017, at 21:21, Matěj Grégr <igr...@fit.vutbr.cz> wrote: > > Hello, > following and older thread: > > On 10.02.2017 14:54, Luca Deri wrote: >> Hi Jesse >> please see below >> >> On 02/10/2017 02:08 PM, Jesse Alexander wrote: >>> First issue: >>> We are using cento to send netflow to multiple collectors for analysis. The >>> nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as >>> version 5 netflow, which has a field for the interface. >>> >>> Bytes 12-13, and 14-15 in the flow record >>> 12-13 | input | SNMP index of input interface >>> 14-15 | output | SNMP index of output interface >>> All of the flow packets are coming through with either "1" or "2" for those >>> values, which is causing problems with our Kentik service and an internal >>> collector. >>> >>> It appears this has been brought up before, but there isn't a solution >>> mentioned. >>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/ >>> >>> How do we get cento to correctly report the interface ID? >> >> In the current cento (devel) you can do >> --iface-id <in>:<out> | Set input/output interfaceId >> in exported flows >> where >> - interface indexes and (router) MAC/IP addresses >> Flag --iface-id is used to specify the SNMP interface identifiers >> for emitted flows. >> However using --if-networks it is possible to specify an interface >> identifier to which >> a MAC address or IP network is bound. The syntax of --if-networks is: >> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated >> by a comma (,). >> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or >> --if-networks @<filename> where <filename> is a file path containing >> the networks >> specified using the above format. >> > It doesn't work for me. I have the same issue as Jesse - all flows from > cento are exported with if interface 1, out interface 2. > > I mirror traffic from router to the following two interfaces on cento box: > > 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq > state UP mode DEFAULT qlen 1000 > link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff > 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq > state UP mode DEFAULT qlen 1000 > link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff > > I tried to set the interface indexes to 5 and 6 using: > --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6" > > However, I still see only 1 for incomming and 2 for outgoing index in > flow data: > > Flow Record: > Flags = 0x00 FLOW, Unsampled > <snip> > input = 1 > output = 2 > > Running cento --version > v.1.3.171116 > > Any idea what I am doing wrong? > > Thanks, > Matej > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
