Hi Paolo,
Thanks for the response!
I did find that the 'inbound' and 'outbound' are actually specific to
certain link-layer types, as described on
https://www.tcpdump.org/manpages/pcap-filter.7.html:
inbound - Packet was received by the host performing the capture rather
than being sent by that host. This is only supported for certain
link-layer types, such as SLIP and the ``cooked'' Linux capture mode
used for the ``any'' device and for some other device types.
outbound - Packet was sent by the host performing the capture rather
than being received by that host. This is only supported for certain
link-layer types, such as SLIP and the ``cooked'' Linux capture mode
used for the ``any'' device and for some other device types.
I'm not sure why tcpdump with that filter seems to work, while the
libpcap docs seems to suggest differently.
The suggest to filter on mac address works, although i am struggling a
little bit to capture multicast mac addresses too.
Kind regards,
Ruben
On 2022-04-22 03:05, Paolo Lucente wrote:
Hi Ruben,
Indeed, very strange. And i could easily reproduce the issue on a
Linux VM. To be frank i was not even aware of the existence of such
inbound vs outbount knob, very convenient indeed. I suspect this is
something new that good old bpf_filter() - which accepts filtering
instructions, packet pointer, total length and capture length only -
can't help with. I see, for example, in newer libpcap versions there
is a new function called bpf_filter_with_aux_data(); i may be wrong, i
didn't go super deep in the examination, but i would not be surprised
that one would need to implement that in order to make these inbound /
outbound knobs work.
Would you ask me how would i do it on an ethernet link? Probably i
would resort to the known MAC address of your enp1s0 interface. What
is destined to it is inbound, what is originated by it is outbound.
Old school, probably needing some good thinking in order to deploy it
at scale but, probably working OK in a home environment.
Paolo
On 20/4/22 18:04, Ruben wrote:
Hi,
I'm trying to get pmacctd to perform traffic accounting on my home
router that's based on a debian machine.
I'm running the following configuration:
debug: false
daemonize: true
pidfile: /var/run/pmacctd.pid
! syslog: daemon
logfile: /var/log/pmacctd.ppp0.log
plugin_pipe_size: 10240000
plugin_buffer_size: 10240
plugins: print[print]
pcap_interface: ppp0
pcap_interface_wait: true
pre_tag_map: /etc/pmacct/pre_tag.ppp0.map
networks_file: /etc/pmacct/networks.map
networks_no_mask_if_zero: false
pmacctd_net: file
! pmacctd_net[print]: file
pmacctd_as: file
! pmacctd_as[print]: file
aggregate[print]: etype, proto, src_as, dst_as, src_host, dst_host,
label
print_output_file[print]: /etc/pmacct/print_dump.ppp0.json
print_output[print]: json
print_history[print]: 1m
print_history_roundoff[print]: m
print_refresh_time[print]: 60
print_trigger_exec[print]: /etc/pmacct/postit.ppp0.sh
Within my pre_tag.ppp0.map file i have:
set_label=ppp0_in filter='inbound'
set_label=ppp0_out filter='outbound'
This works correctly and my labels end up with ppp0_in and ppp0_out.
The issue i'm facing is that when i replace every ppp0 occurrence with
enp1s0, that the labels do /not/ get set.
The only difference i've seen between these configs seems to be the
'link type' which for ppp0 is 113 and for the enp1s0 is 1.
Is there something i'm missing here?
Is there a better way to correctly identify inbound vs outbound
traffic?
tcpdump -i enp1s0 inbound works the same as tcpdump -i enp1s0 -Q in
Kind regards,
Ruben
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
