Hi Dennis, Perhaps traffic is VLAN tagged or contains MPLS labels? This can be a possible explanation for filters not working correctly. You can check the tcpdump man page for detailed information about pcap-style filters but as guidance for traffic with a single VLAN tag, ie.:
aggregate_filter[out]: vlan and ( src net <own IP chunk A> .. or src net <own IP chunk Z> ) aggregate_filter[in]: vlan and ( dst net <own IP chunk A> .. or dst net <own IP chunk Z> ) Let me know whether it works. Cheers, Paolo On Wed, Aug 31, 2011 at 12:04:42PM +0200, Dennis Koster wrote: > > Perhaps you also want to distinguish between internal and external > > traffic? You can then do a bit of pre-tagging for that, so a tag of > > 1 means traffic is internal whereas a tag of 0 means it's external, > > ie.: > > > > sfacctd.conf: > > .. > > plugins: mysql[out], mysql[in] > > aggregate[out]: tag, src_host > > aggregate[in]: tag, dst_host > > aggregate_filter[out]: src net <own IP chunk A> .. or src net <own IP chunk > > Z> > > aggregate_filter[in]: dst net <own IP chunk A> .. or dst net <own IP chunk > > Z> > > pre_tag_map: /path/to/pretag.map > > .. > > > > pretag.map: > > id=1 filter=( src net <own IP chunk A> .. or src net <own IP chunk Z> ) and > > ( dst net <own IP chunk A> .. or dst net > > <own IP chunk Z> ) > > I've tried your config, but I'm getting weird results. > When I place the aggregate_filter, I don't receive sflow updates. > They seem to be filtered out. > > I've tweaked it a bit to a working condition, but this setup > isn't far from the original one plugin setup. > > debug: false > daemonize: true > interface: eth0 > sfacctd_ip: 62.148.189.229 > sfacctd_port: 6343 > plugin_buffer_size: 2048 > plugin_pipe_size: 2048000 > imt_buckets: 65537 > imt_mem_pools_size: 65536 > sfacctd_allow_file: /etc/pmacct/sflow_allow.map > networks_file: /etc/pmacct/sflow_networks.map > pre_tag_map: /etc/pmacct/sfacctd_pretag.map > sfacctd_renormalize: true > sfacctd_disable_checks: true > syslog: local2 > > sql_table: acct_v7 > sql_table_version: 7 > sql_host: localhost > sql_user: pmacct > sql_passwd: ********** > sql_optimize_clauses: true > sql_history: 1M > sql_history_roundoff: m > sql_multi_values: 512000 > sql_locking_style: table > sql_db: pmacct > > !sql_dont_try_update: false > !sql_cache_entries: 2000000 > !sql_refresh_time: 60 > > aggregate[in]: tag, src_host, dst_host > aggregate[out]: tag, dst_host, src_host > plugins: mysql[out], mysql[in] > > # cat sflow_networks.map > ! local networks > 25542,62.148.160.0/19 > 25542,81.93.48.0/20 > 25542,94.126.64.0/21 > 25542,2001:16e8::/32 > 50208,109.71.0.0/21 > # > > # cat sfacctd_pretag.map > id=1 ip=router1 > id=2 ip=router2 > > This setup provides the following information: > agent_id, which provides the used router. > ip_src, which providers local network ip's, or :: / 0.0.0.0 for external > ip_dst, see ip_src :) > packets > bytes > and dates. > > Disabling the sflow_networks.map provides the real ip_src/ip_dst. > But trying to filter this with pre_tag gives me more headache. > I tried a filter: > id=1 ip=router1 filter='( src net 62.148.160.0/19 or src net 81.93.48.0/20 ) > and ( dst net 62.148.160.0/19 or dst net 81.93.48.0/20 )' > > But traffic from 62.148.160.0/19 to 81.93.48.0/20 isn't tagged with 1, it's > getting tagged with 0. > So I'm getting confused. > > -- > Met vriendelijke groet, > > > Dennis Koster > > "I take no responsibility if it formats your server, defrosts your fridge, or > touches your cat inappropriately." > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
