Hi Paolo, thank you very much for your prompt reply. My comments are also inline.
On 28 May 2014, at 17:39, Paolo Lucente <pa...@pmacct.net> wrote: > On Wed, May 28, 2014 at 07:47:45AM +0000, Thomas King wrote: > >> - From the documentation I reasoned that pmacct/nfacct is able to handle >> IPFIX sampling. I use IPFIX sampling with a sampling rate of 10000. From the >> results I see (pmacct or prng) the sampling rate is not recognised by >> pmacct/nfacct. I also tried to configure the sampling rate by using the >> configuration key nfacctd_ext_sampling_rate which did not resolve the issue. >> Is there a know issue with recognising the sampling rate from the IPFIX >> data? Or did I miss how to configure pmacct/nfacct correctly? > > * You are using a pre 1.5.0rc3 release. We are using the 1.5.0rc3 release. > * Sampling information is not sent over by the router. This, > in turn, can be because of a knob to enable on the router or > due to a bug. Sniffing the raw IPFIX data and analizing with > a tool like Wireshark can tell if it's the latter case. I'd > be more than happy to help/support you with such analysis if > we reckon all points in the direction of a bug. We double checked the IPFIX data coming from our router. The sampling rate is contained in the data. It comes via a data record (template id=256) and the relevant fields are named samplingPacketInterval and samplingPacketSpace. Do you know if pmacct is able to recognise this information? Is there is anything else (configuration file wise) what we can do? > >> - The aggregate configuration directive comes with various values. However, >> I could not find a way to aggregate IPv4 and IPv6 traffic. Did I miss this >> in the documentation? Or is it not supported by pmacct/nfacct? > > I believe i should be correct decoding "aggregate IPv4 and IPv6 > traffic" as: you want to collect traffic per source, destination > and/or source-destination MAC address and distinguish v4 vs v6 > traffic. If this is correct then you need the 'etype' primitive > on your aggregation method. A value of 0x800 means v4, a value > of 0x86dd means v6. If my understanding is not correct, please > elaborate more. We tried “aggregate: etype” but we then see just 0x0800 (IPv4) traffic. We do not see any 0x86dd (IPv6) traffic. I assume the reason is that the template (L2-IP) we use does not provide any ethernet type field as I just learned. From my understanding the field IP Version (IANA element ID=60) would be the one that should be inspected. Does pmacct support the IP Version field? > >> - I would like to generate rrd files for traffic going in and out of a MAC >> address. I also would like to generate rrd files for the communication >> between a MAC address and another MAC address (in and out). The >> configuration of pmacct/nfacct is actually quite easy. However, I had >> difficulties to generate the rrd files. I tried pnrg version 0.1 which is >> from 2006 and not updated ever since. It also has problems with creating rrd >> files and graphs based on MAC addresses. So I assume there should be a >> better solution than pnrg to generate rrd files. What is the default way of >> generating rrd files using pmacct/nfacct (I saw the section in the FAQ >> talking about rrd files, but this is nothing I can use as I would like to >> generate thousands rrd files :-))? > > Did you have difficulty injecting stats in RRD files or you had > difficulty finding a tool that does it for you, ie. PNRG? I would like to have a tool that takes all the data available from pmacct via a memory socket and writes it periodically to rrd files. At a first glance PNRG did this. However, if a rrd filename is like a mac address PNRG stops working. Additionally, PNRG is not supported anymore. So I am looking for a similar tool. Are you aware of any tool that does this? Thanks again for your feedback! Best regards, Thomas
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
