Hi Lockywolf, On Thu, 11 Nov 2010, Lockywolf __ wrote:
aggregate[in]: dst_host aggregate[out]: src_host aggregate_filter[in]: dst net 192.168.88.0/16 aggregate_filter[out]: src net 192.168.88.0/16 plugins: mysql[in], mysql[out] Still, in MySQL i have (a lot of) lines like the following: | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 109.107.91.158 | 0 | 0 | ip | 1 | 309 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 71.228.40.130 | 0 | 0 | ip | 1 | 305 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 94.24.134.127 | 0 | 0 | ip | 1 | 305 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 188.112.79.97 | 0 | 0 | ip | 1 | 305 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | No MACs ? i guess it's OK with netflow.
If you don't aggregate on src_mac and dst_mac, you won't get any MACs...
Btw, anybody can tell me, why do i have so many connections to 0.0.0.0?
That's what aggregate does. It zeroes all the fields that you don't aggregate on (including the other side's IP address in this case).
it's a router, has no brains.
It doesn't even exist, it's not a router.
But why does it log ips which have neither src_ip nor dst_ip in 192.168.88.0/16 ?
That's a good question, I don't know. Might you have more than one nfacctd/pmacctd running? Or might you have changed the config without restarting it?
Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
