Hi Paolo On a suggestion you made to another subscriber;
Iv check-pointed everything works with a print plugin and am able to see the numbers from NetFlow (Traffic-Flow) in my case when executing "nfacctd -f nfacctd.conf" Yet when I configure and run with mysql plugin I get no data... Not sure if this is relevant but I installed pmgraph as a Debian package ie not manually and was not asked any security questions re mysql; but have worked out that the username its using is pmacct and password is "secret" Created a file called nfacctd.conf placed it in the same directory as pmacct.conf edited as follows: ! daemonize: true plugins: mysql aggregate: sum_host nfacctd_port: 5678 sql_refresh_time: 10 sql_history: 10m sql_history_roundoff: mh sql_table_version: 4 ! .. executed with nfacctd -f nfacctd.conf enabled Netflow (Traffic-Flow on my router) and told it to send traffic to IP address of listening NIC on port 5678 Yet pmgraph is not graphing anything Thanks again. On Wed, Feb 1, 2012 at 8:01 PM, <pmacct-discussion-requ...@pmacct.net> wrote: > Send pmacct-discussion mailing list submissions to > pmacct-discussion@pmacct.net > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.pmacct.net/mailman/listinfo/pmacct-discussion > or, via email, send a message with subject or body 'help' to > pmacct-discussion-requ...@pmacct.net > > You can reach the person managing the list at > pmacct-discussion-ow...@pmacct.net > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of pmacct-discussion digest..." > > Today's Topics: > > 1. Re: Is layer2 netflow supported? (Paolo Lucente) > 2. Re: pmacct-discussion Digest, Vol 82, Issue 3 (johan lotter) > > > ---------- Forwarded message ---------- > From: Paolo Lucente <pa...@pmacct.net> > To: Kerk Chun Sing <chunsing.k...@sgix.sg> > Cc: pmacct-discussion@pmacct.net > Date: Sun, 29 Jan 2012 18:36:48 +0000 > Subject: Re: [pmacct-discussion] Is layer2 netflow supported? > Hi Chun Sing, > > On Sun, Jan 29, 2012 at 06:49:08PM +0800, Kerk Chun Sing wrote: > >> What worries me is that I got couple of these lines, before seeing the >> tables (with some numerical numbers). It kept repeating, is this normal? >> >> ====== >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> ====== > > This is OK. You should however see that only for a limited amount of time > after having started nfacctd: NetFlow v9 is a templated-based protocol. > Routers send templates to decode the actual data packets regularly; but > until the first template comes in the collector doesn't know how to parse > the packets. Hence the message you see above. So no worries. > >> Probably I will need to use customised mysql schemas instead of the >> templates in /sql directory right? > > My advice is to check-point everything works for you (ie. you are able > 'to see the numbers' from NetFlow ) with a plugin like memory or print. > Once that is cleared out, move to the MySQL plugin (since that looks of > interest to you). MAC addresses are supported from the very beginning, > so you can use any of the default schemas; once you feel comfortable, > sure, customize the schema for a better efficiency. > > Cheers, > Paolo > >> Paolo Lucente wrote: >>> Hi Chun Sing, >>> >>> It's valid that there are fields which are left numerical in the debug; >>> i guess you ask because your L2 traffic is not being accounted (properly) >>> by pmacct, right? If this is the case can you please say whether you see >>> spurious data or nothing being accounted at all? >>> >>> Bottom line is L2 NetFlow is supported. If something is not working in >>> a correct way, i'd be more than glad to assist you troubleshooting the >>> issue. A good way to start could be sending me privately a trace of the >>> full payload of your NetFlow datagrams (ie. using tpdump -s 1500) so >>> that i can have a look and, if required, replay in lab. >>> >>> Let me know. >>> >>> Cheers, >>> Paolo >>> >>> On Sun, Jan 29, 2012 at 12:00:45PM +0800, Kerk Chun Sing wrote: >>>> Hi all, >>>> >>>> I'm new to pmacct, hope someone can shed some light on the symptom that >>>> I'm seeing. >>>> >>>> I'm exporting L2 netflow with the following template, however from the >>>> nfacctd debug log, some of entries are interpreted as "58" and "256". >>>> Is there something that I will need to tweak? >>>> >>>> /chunsing >>>> >>>> =================== >>>> hostname# show flow record netflow layer2-switched input >>>> Flow record netflow layer2-switched input: >>>> Description: layer2-switched input NetFlow >>>> No. of users: 1 >>>> Template ID: 262 >>>> Fields: >>>> match interface input >>>> match interface output >>>> match datalink mac source-address >>>> match datalink mac destination-address >>>> match datalink source-vlan-id >>>> match datalink ethertype >>>> match flow direction >>>> collect counter bytes >>>> collect counter packets >>>> collect timestamp sys-uptime first >>>> collect timestamp sys-uptime last >>>> ==================== >>>> >>>> INFO ( default/core ): waiting for NetFlow data on :::9995 >>>> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >>>> template 262 [::ffff:10.1.10.20:256]) >>>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >>>> DEBUG ( default/core ): NfV9 template type : flow >>>> DEBUG ( default/core ): NfV9 template ID : 260 >>>> DEBUG ( default/core ): ---------------------------------------- >>>> DEBUG ( default/core ): | field type | offset | size | >>>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>>> DEBUG ( default/core ): | direction | 8 | 1 | >>>> DEBUG ( default/core ): | 256 | 9 | 2 | >>>> DEBUG ( default/core ): | in bytes | 11 | 4 | >>>> DEBUG ( default/core ): ---------------------------------------- >>>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >>>> DEBUG ( default/core ): >>>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >>>> DEBUG ( default/core ): NfV9 template type : flow >>>> DEBUG ( default/core ): NfV9 template ID : 262 >>>> DEBUG ( default/core ): ---------------------------------------- >>>> DEBUG ( default/core ): | field type | offset | size | >>>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>>> DEBUG ( default/core ): | in src mac | 8 | 6 | >>>> DEBUG ( default/core ): | out dst mac | 14 | 6 | >>>> DEBUG ( default/core ): | 58 | 20 | 2 | >>>> DEBUG ( default/core ): | direction | 22 | 1 | >>>> DEBUG ( default/core ): |256 | 23 | 2 | >>>> DEBUG ( default/core ): | in bytes | 25 | 4 | >>>> DEBUG ( default/core ): | in packets | 29 | 4 | >>>> DEBUG ( default/core ): | last switched | 37 | 4 | >>>> DEBUG ( default/core ): ---------------------------------------- >>>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >>>> DEBUG ( default/core ): >>>> >>> >>>> _______________________________________________ >>>> pmacct-discussion mailing list >>>> http://www.pmacct.net/#mailinglists >>> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists > > > > > ---------- Forwarded message ---------- > From: johan lotter <jlct...@gmail.com> > To: pmacct-discussion@pmacct.net > Cc: > Date: Wed, 1 Feb 2012 20:01:28 +0200 > Subject: Re: [pmacct-discussion] pmacct-discussion Digest, Vol 82, Issue 3 > Thanks Paolo > > Iv created a file called nfacct.conf > placed it in the same directory as pmacct.conf > edited as follows: > > ! > daemonize: true > plugins: mysql > aggregate: sum_host > nfacctd_port: 5678 > sql_refresh_time: 10 > sql_history: 10m > sql_history_roundoff: mh > sql_table_version: 4 > ! .. > > executed with nfacctd -f nfacctd.conf > enabled Netflow (Traffic-Flow on my router) and told it to send > traffic to IP address of listening NIC on port 5678 > > Yet I'm not receiving and data > > Any help re this would very very much appreciated as quite new to > Linux and scripting etc. > > Thanks > > > > > On Sun, Jan 29, 2012 at 12:49 PM, <pmacct-discussion-requ...@pmacct.net> > wrote: >> Send pmacct-discussion mailing list submissions to >> pmacct-discussion@pmacct.net >> >> To subscribe or unsubscribe via the World Wide Web, visit >> http://www.pmacct.net/mailman/listinfo/pmacct-discussion >> or, via email, send a message with subject or body 'help' to >> pmacct-discussion-requ...@pmacct.net >> >> You can reach the person managing the list at >> pmacct-discussion-ow...@pmacct.net >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of pmacct-discussion digest..." >> >> Today's Topics: >> >> 1. Re: NetFlow (Paolo Lucente) >> 2. Re: IPv4 vs IPv6 accounting (Michal Ludvig) >> 3. Re: IPv4 vs IPv6 accounting (Michal Ludvig) >> 4. Re: IPv4 vs IPv6 accounting (Paolo Lucente) >> 5. Re: sql_history and sql_refresh_time (Paolo Lucente) >> 6. Is layer2 netflow supported? (Kerk Chun Sing) >> 7. Re: Is layer2 netflow supported? (Paolo Lucente) >> 8. Re: Is layer2 netflow supported? (Kerk Chun Sing) >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <pa...@pmacct.net> >> To: pmacct-discussion@pmacct.net >> Cc: >> Date: Fri, 27 Jan 2012 00:08:21 +0000 >> Subject: Re: [pmacct-discussion] NetFlow >> Hi Johan, >> >> Stick more to the example in section V of that same document, the one >> revolving around nfacctd (your case) and sfacctd. Two issues i can see >> are: 1) you should use nfacctd daemon (NetFlow collector) rather than >> pmacctd (which is the daemon to read data via libcap library, ie. off >> a mirror port) and 2) you should use memory, print or one of the SQL >> plugins rather than nfprobe (which is aimed at letting pmacct export >> NetFlow data to remote collectors. Hope this helps. >> >> Cheers, >> Paolo >> >> On Thu, Jan 26, 2012 at 11:19:11AM +0200, johan lotter wrote: >>> Hi >>> >>> Am trying to get my Mikrotik Router Board to send traffic to pmacct >>> using Traffic-Flow which is compatible with NetFLow. >>> >>> Have configured my Router accordingly. >>> >>> And configured >>> >>> /etc/pmacct/pmacctd.conf >>> >>> using the below guide >>> >>> http://wiki.pmacct.net/OfficialExamples >>> >>> So it looks as follows: >>> >>> >>> ! >>> daemonize: true >>> interface: eth1 >>> aggregate: src_host, dst_host, src_port, dst_port, proto, tos >>> plugins: nfprobe >>> nfprobe_receiver: 192.168.88.150:2100 >>> nfprobe_version: 5 >>> ! nfprobe_engine: 1:1 >>> ! nfprobe_timeouts: tcp=120:maxlife=3600 >>> ! >>> ! networks_file: /path/to/networks.lst >>> ! classifiers: /path/to/classifiers/ >>> ! snaplen: 700 >>> !... >>> >>> What do I need to change? >>> >>> Thanks >>> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> >> >> ---------- Forwarded message ---------- >> From: Michal Ludvig <mlud...@logix.net.nz> >> To: Paolo Lucente <pa...@pmacct.net>, pmacct-discussion@pmacct.net >> Cc: >> Date: Fri, 27 Jan 2012 13:36:35 +1300 >> Subject: Re: [pmacct-discussion] IPv4 vs IPv6 accounting >> Hi Paolo, >> >> On 01/27/2012 12:58 PM, Paolo Lucente wrote: >>> >>> plugins: v4, v6 >>> aggregate_filter[v4]: ip >>> aggregate_filter[v6]: ip6 >>> aggregate[v4]: none >>> aggregate[v6]: none >> >> >> thanks for that. So my config now looks like this: >> >> ! debug: true >> daemonize: true >> interface: vlan120, vlan121, vlan128 >> plugins: v4, v6 >> aggregate_filter[v4]: ip >> aggregate_filter[v6]: ip6 >> aggregate[v4]: none >> aggregate[v6]: none >> >> But fails upon startup: >> >> ~ # pmacctd -f pmacct-v4v6.conf >> ERROR ( pmacct-v4v6.conf ): Unknown plugin type: v4. Ignoring. >> ERROR ( pmacct-v4v6.conf ): Unknown plugin type: v6. Ignoring. >> WARN ( pmacct-v4v6.conf ): No plugin has been activated; defaulting to >> in-memory table. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v4'. Line 5 ignored. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v6'. Line 6 ignored. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v4'. Line 7 ignored. >> WARN ( pmacct-v4v6.conf ): Unknown symbol 'v6'. Line 8 ignored. >> >> Sorry I'm a pmacct newbie and may need a bit of a hand-holding :) >> >> Thanks >> >> Mike >> >> >> >> >> ---------- Forwarded message ---------- >> From: Michal Ludvig <mlud...@logix.net.nz> >> To: pmacct-discussion@pmacct.net >> Cc: >> Date: Fri, 27 Jan 2012 13:45:49 +1300 >> Subject: Re: [pmacct-discussion] IPv4 vs IPv6 accounting >> On 01/27/2012 01:36 PM, Michal Ludvig wrote: >>> >>> Hi Paolo, >>> >>> On 01/27/2012 12:58 PM, Paolo Lucente wrote: >>>> >>>> plugins: v4, v6 >>>> aggregate_filter[v4]: ip >>>> aggregate_filter[v6]: ip6 >>>> aggregate[v4]: none >>>> aggregate[v6]: none >>> >>> >>> thanks for that. >> >> >> Ah, got it working now: >> >> ! debug: true >> daemonize: false >> interface: vlan120 >> plugins: memory[v4], memory[v6] >> aggregate_filter[v4]: ip >> aggregate_filter[v6]: ip6 >> aggregate[v4]: none >> aggregate[v6]: none >> imt_path[v4]: /tmp/pmacct-v4.pipe >> imt_path[v6]: /tmp/pmacct-v6.pipe >> >> One last thing .. can I somehow put more interfaces in there and have the >> v4/v6 stats per interface? >> >> Thanks >> >> Mike >> >> >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <pa...@pmacct.net> >> To: pmacct-discussion@pmacct.net >> Cc: >> Date: Fri, 27 Jan 2012 03:15:30 +0000 >> Subject: Re: [pmacct-discussion] IPv4 vs IPv6 accounting >> Hi Mike, >> >> Great you got it working. >> >> On Fri, Jan 27, 2012 at 01:45:49PM +1300, Michal Ludvig wrote: >> >>> One last thing .. can I somehow put more interfaces in there and have >>> the v4/v6 stats per interface? >> >> Sorry for not having picked your question up in my previous email: >> no, you must have a pmacctd process running per interface. >> >> Cheers, >> Paolo >> >> >> >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <pa...@pmacct.net> >> To: pmacct-discussion@pmacct.net >> Cc: >> Date: Fri, 27 Jan 2012 07:18:07 +0000 >> Subject: Re: [pmacct-discussion] sql_history and sql_refresh_time >> Hi Yossi, >> >> On Thu, Jan 26, 2012 at 05:17:20AM -0800, Yossi Ozani wrote: >> >>> - sql_history - "store" information as long as N time units . N is the >>> time slot(1m or 1h or ....) >> >> sql_history chops traffic aggregates into time-bins. If primitives that are >> selected via the 'aggregate' directive define a spatial aggregation, then >> sql_history defines a further dimension - temporal aggregation. >> >>> - sql_refresh_time - define a timer which trigger a procedure which, in >>> generally, copy the data stored in sql_history to my plugin(e.g. MySQL) >> >> Data gathered from the network is aggregated and cached in memory. The value >> of sql_refresh_time defines the time data is cached in memory before being >> written to the backend (ie. a MySQL database). While the two directives are >> independent, and unless some corner scenario is to be covered, recommendation >> is to let them coincide to optimize performances, ie. avoid issuing UPDATE >> SQL queries. >> >> Cheers, >> Paolo >> >> >> >> >> ---------- Forwarded message ---------- >> From: Kerk Chun Sing <chunsing.k...@sgix.sg> >> To: pmacct-discussion@pmacct.net >> Cc: >> Date: Sun, 29 Jan 2012 12:00:45 +0800 >> Subject: [pmacct-discussion] Is layer2 netflow supported? >> Hi all, >> >> I'm new to pmacct, hope someone can shed some light on the symptom that I'm >> seeing. >> >> I'm exporting L2 netflow with the following template, however from the >> nfacctd debug log, some of entries are interpreted as "58" and "256". >> Is there something that I will need to tweak? >> >> /chunsing >> >> =================== >> hostname# show flow record netflow layer2-switched input >> Flow record netflow layer2-switched input: >> Description: layer2-switched input NetFlow >> No. of users: 1 >> Template ID: 262 >> Fields: >> match interface input >> match interface output >> match datalink mac source-address >> match datalink mac destination-address >> match datalink source-vlan-id >> match datalink ethertype >> match flow direction >> collect counter bytes >> collect counter packets >> collect timestamp sys-uptime first >> collect timestamp sys-uptime last >> ==================== >> >> INFO ( default/core ): waiting for NetFlow data on :::9995 >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 260 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | direction | 8 | 1 | >> DEBUG ( default/core ): | 256 | 9 | 2 | >> DEBUG ( default/core ): | in bytes | 11 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >> DEBUG ( default/core ): >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 262 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | in src mac | 8 | 6 | >> DEBUG ( default/core ): | out dst mac | 14 | 6 | >> DEBUG ( default/core ): | 58 | 20 | 2 | >> DEBUG ( default/core ): | direction | 22 | 1 | >> DEBUG ( default/core ): | 256 | 23 | 2 | >> DEBUG ( default/core ): | in bytes | 25 | 4 | >> DEBUG ( default/core ): | in packets | 29 | 4 | >> DEBUG ( default/core ): | last switched | 37 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >> DEBUG ( default/core ): >> >> >> >> ---------- Forwarded message ---------- >> From: Paolo Lucente <pa...@pmacct.net> >> To: pmacct-discussion@pmacct.net >> Cc: >> Date: Sun, 29 Jan 2012 07:40:19 +0000 >> Subject: Re: [pmacct-discussion] Is layer2 netflow supported? >> Hi Chun Sing, >> >> It's valid that there are fields which are left numerical in the debug; >> i guess you ask because your L2 traffic is not being accounted (properly) >> by pmacct, right? If this is the case can you please say whether you see >> spurious data or nothing being accounted at all? >> >> Bottom line is L2 NetFlow is supported. If something is not working in >> a correct way, i'd be more than glad to assist you troubleshooting the >> issue. A good way to start could be sending me privately a trace of the >> full payload of your NetFlow datagrams (ie. using tpdump -s 1500) so >> that i can have a look and, if required, replay in lab. >> >> Let me know. >> >> Cheers, >> Paolo >> >> On Sun, Jan 29, 2012 at 12:00:45PM +0800, Kerk Chun Sing wrote: >>> Hi all, >>> >>> I'm new to pmacct, hope someone can shed some light on the symptom that >>> I'm seeing. >>> >>> I'm exporting L2 netflow with the following template, however from the >>> nfacctd debug log, some of entries are interpreted as "58" and "256". >>> Is there something that I will need to tweak? >>> >>> /chunsing >>> >>> =================== >>> hostname# show flow record netflow layer2-switched input >>> Flow record netflow layer2-switched input: >>> Description: layer2-switched input NetFlow >>> No. of users: 1 >>> Template ID: 262 >>> Fields: >>> match interface input >>> match interface output >>> match datalink mac source-address >>> match datalink mac destination-address >>> match datalink source-vlan-id >>> match datalink ethertype >>> match flow direction >>> collect counter bytes >>> collect counter packets >>> collect timestamp sys-uptime first >>> collect timestamp sys-uptime last >>> ==================== >>> >>> INFO ( default/core ): waiting for NetFlow data on :::9995 >>> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >>> template 262 [::ffff:10.1.10.20:256]) >>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >>> DEBUG ( default/core ): NfV9 template type : flow >>> DEBUG ( default/core ): NfV9 template ID : 260 >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): | field type | offset | size | >>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>> DEBUG ( default/core ): | direction | 8 | 1 | >>> DEBUG ( default/core ): | 256 | 9 | 2 | >>> DEBUG ( default/core ): | in bytes | 11 | 4 | >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >>> DEBUG ( default/core ): >>> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >>> DEBUG ( default/core ): NfV9 template type : flow >>> DEBUG ( default/core ): NfV9 template ID : 262 >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): | field type | offset | size | >>> DEBUG ( default/core ): | input snmp | 0 | 4 | >>> DEBUG ( default/core ): | output snmp | 4 | 4 | >>> DEBUG ( default/core ): | in src mac | 8 | 6 | >>> DEBUG ( default/core ): | out dst mac | 14 | 6 | >>> DEBUG ( default/core ): | 58 | 20 | 2 | >>> DEBUG ( default/core ): | direction | 22 | 1 | >>> DEBUG ( default/core ): |256 | 23 | 2 | >>> DEBUG ( default/core ): | in bytes | 25 | 4 | >>> DEBUG ( default/core ): | in packets | 29 | 4 | >>> DEBUG ( default/core ): | last switched | 37 | 4 | >>> DEBUG ( default/core ): ---------------------------------------- >>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >>> DEBUG ( default/core ): >>> >> >>> _______________________________________________ >>> pmacct-discussion mailing list >>> http://www.pmacct.net/#mailinglists >> >> >> >> >> ---------- Forwarded message ---------- >> From: Kerk Chun Sing <chunsing.k...@sgix.sg> >> To: Paolo Lucente <pa...@pmacct.net>, pmacct-discussion@pmacct.net >> Cc: >> Date: Sun, 29 Jan 2012 18:49:08 +0800 >> Subject: Re: [pmacct-discussion] Is layer2 netflow supported? >> Hi Paolo, >> >> Thanks for the reply. >> >> What worries me is that I got couple of these lines, before seeing the >> tables (with some numerical numbers). It kept repeating, is this normal? >> >> ====== >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> ====== >> >> Probably I will need to use customised mysql schemas instead of the >> templates in /sql directory right? >> >> /chunsing >> >> Paolo Lucente wrote: >> >> Hi Chun Sing, >> >> It's valid that there are fields which are left numerical in the debug; >> i guess you ask because your L2 traffic is not being accounted (properly) >> by pmacct, right? If this is the case can you please say whether you see >> spurious data or nothing being accounted at all? >> >> Bottom line is L2 NetFlow is supported. If something is not working in >> a correct way, i'd be more than glad to assist you troubleshooting the >> issue. A good way to start could be sending me privately a trace of the >> full payload of your NetFlow datagrams (ie. using tpdump -s 1500) so >> that i can have a look and, if required, replay in lab. >> >> Let me know. >> >> Cheers, >> Paolo >> >> On Sun, Jan 29, 2012 at 12:00:45PM +0800, Kerk Chun Sing wrote: >> >> Hi all, >> >> I'm new to pmacct, hope someone can shed some light on the symptom that >> I'm seeing. >> >> I'm exporting L2 netflow with the following template, however from the >> nfacctd debug log, some of entries are interpreted as "58" and "256". >> Is there something that I will need to tweak? >> >> /chunsing >> >> =================== >> hostname# show flow record netflow layer2-switched input >> Flow record netflow layer2-switched input: >> Description: layer2-switched input NetFlow >> No. of users: 1 >> Template ID: 262 >> Fields: >> match interface input >> match interface output >> match datalink mac source-address >> match datalink mac destination-address >> match datalink source-vlan-id >> match datalink ethertype >> match flow direction >> collect counter bytes >> collect counter packets >> collect timestamp sys-uptime first >> collect timestamp sys-uptime last >> ==================== >> >> INFO ( default/core ): waiting for NetFlow data on :::9995 >> DEBUG ( default/core ): Discarded NetFlow v9/IPFIX packet (R: unknown >> template 262 [::ffff:10.1.10.20:256]) >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr>:256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 260 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | direction | 8 | 1 | >> DEBUG ( default/core ): | 256 | 9 | 2 | >> DEBUG ( default/core ): | in bytes | 11 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 15 >> DEBUG ( default/core ): >> DEBUG ( default/core ): NfV9 agent : ::ffff:<my_ip_addr> :256 >> DEBUG ( default/core ): NfV9 template type : flow >> DEBUG ( default/core ): NfV9 template ID : 262 >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | input snmp | 0 | 4 | >> DEBUG ( default/core ): | output snmp | 4 | 4 | >> DEBUG ( default/core ): | in src mac | 8 | 6 | >> DEBUG ( default/core ): | out dst mac | 14 | 6 | >> DEBUG ( default/core ): | 58 | 20 | 2 | >> DEBUG ( default/core ): | direction | 22 | 1 | >> DEBUG ( default/core ): |256 | 23 | 2 | >> DEBUG ( default/core ): | in bytes | 25 | 4 | >> DEBUG ( default/core ): | in packets | 29 | 4 | >> DEBUG ( default/core ): | last switched | 37 | 4 | >> DEBUG ( default/core ): ---------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 41 >> DEBUG ( default/core ): >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists >> > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
