Re: [pmacct-discussion] [EXTERNAL] Re: How do I report on the Netflow exporter IP?

[Compton, Rich A]

Ah, thanks for the reply Paolo and Luca!

On 5/6/22, 5:46 PM, "Paolo Lucente"  wrote:

CAUTION: The e-mail below is from an external source. Please exercise 
caution before opening attachments, clicking links, or following guidance.

Hi Rich,

It's peer_src_ip. peer_src_ip is the exporter IP address; peer_dst_ip is 
tipically the IGP/BGP next-hop.

Paolo


On 6/5/22 13:31, Compton, Rich A wrote:
> Hi, I’m sure this is an easy thing to do but my google-fu is failing 
> me.  How do I report on the Netflow exporter IP in nfacct?  I don’t see 
> it in the list of aggregates in the documentation.  I have numerous 
> netflow exporters sending netflow to my collector.  I want to have a 
> field in my netflow records be the exporter IP.  Thanks in advance!
> 
> signature_3625050590
> 
> Rich Compton| Principal Eng   |314.596.2828
> 
> 8560 Upland Drive,   Suite B  |  Englewood, CO 80112
> 
> PGP Key 
> 

> 
> The contents of this e-mail message and
> any attachments are intended solely for the
> addressee(s) and may contain confidential
> and/or legally privileged information. If you
> are not the intended recipient of this message
> or if this message has been addressed to you
> in error, please immediately alert the sender
> by reply e-mail and then delete this message
> and any attachments. If you are not the
> intended recipient, you are notified that
> any use, dissemination, distribution, copying,
> or storage of this message or any attachment
> is strictly prohibited.
> 
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] [docker-doctors] pmacctd in docker

[Thomas Eckert]

Hi Paolo,

Thanks for the hint, I gave it a try. I'm observing the exact same behavior
between running pmacct in a container & directly on my host in all cases.
Tested with
* official docker image: 281904b7afd6
* official ubuntu 21.10 package: pmacct/impish,now 1.7.6-2 amd64

I *think* the problem is with the interfaces' ifindex parameter when using
the pcap_interfaces_map config key - everything works fine (capture files
are printed) when instead using the pcap_interface key. Whenever I do not
specify the 'ifindex' in the file specified as value for the
pcap_interfaces_map config key, I do not observe capture files being
printed. Vice versa, if I do specify the 'ifindex' parameter, then capture
files are printed.

In fact, if I do specify 'ifindex' for all interfaces listed when I run
"netstat -i", then pmacctd throws errors for my br-* & enx interfaces -
which it does not do when I omit 'ifindex' - almost as if it only then
realizes that it is supposed to access those interfaces at all. This
assumption is also based on the fact that I do see log lines such as these
INFO ( default/core ): Reading configuration file
'/etc/pmacct/pmacctd.conf'.
INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] (re)loading map.
INFO ( default/core ): [/etc/pmacct/pcap-itf.conf] map successfully
(re)loaded.
INFO ( default/core ): [docker0,1872541466] link type is: 1  <=
INFO ( default/core ): [eno2,3698069186] link type is: 1   <=
INFO ( default/core ): [lo,2529615826] link type is: 1<=
INFO ( default/core ): [tun0,3990258693] link type is: 12  <=
when specifying 'ifname' whereas the marked (<=) lines are missing whenever
I do not.

Reading through the config key documentation some more, I found the config
key pcap_ifindex. Interestingly enough, using it does not yield any
difference in results - neither for value "sys" nor for value "hash" -
irrespective of all other settings I played around with.

Assuming in pmacctd.conf the config key pcap_interfaces_map is used, then
this is what I speculate is effectively happening:
* pmacctd ignores config key pcap_ifindex
* instead, it expects 'ifindex' to be set in the interface mapping file for
each line
* each line where 'ifindex' is not set is ignored
* if 'ifindex' is missing on all lines, this results in a
"no-interface-being-listened-on" case without any warning/error
Summary: seems like 'ifname' is a mandatory parameter in the interface
mapping file whereas the documentation says "pmacctd: mandatory keys:
ifname."

My understanding of the documentation for above-mentioned config keys is
that the behavior I'm observing is not as intended (e.g. 'ifindex'
effectively being required, pcap_ifindex effectively being ignored) . So
I'm either making a mistake, e.g. in my config files, misunderstanding the
documentation or I'm encountering a bug - which I find difficult to believe
given how trivial my setup is.

Any Suggestions ?

Regards & Thanks,
  Thomas

On Sun, May 8, 2022 at 1:43 PM Paolo Lucente  wrote:

>
> Hi Thomas,
>
> The simplest thing i may recommend is to check it all working outside a
> container - this way you can easily isolate whether the issue is somehow
> related to the container (config or interaction of pmacctd with the
> container) or with the pmacct config itself.
>
> Paolo
>
>
> On 6/5/22 06:05, Thomas Eckert wrote:
> > Hi everyone,
> >
> > pmacct starter here, trying to get pmacctd working inside of a container
> > to listen to the (container's) host's traffic. I suppose this is a, if
> > not the, standard use case for pmacctd in a container. So I'm sure it
> > works in principle but I'm doing something wrong.
> >
> > Command for starting the container:
> >  docker run \
> >  --privileged --network=host \
> >  --name pmacctd \
> >  -v /tmp/pmacctd.conf:/etc/pmacct/pmacctd.conf:ro \
> >  -v /tmp/pcap-itf.conf:/etc/pmacct/pcap-itf.conf:ro \
> >  -v /tmp//captures:/var/pmacct/captures:rw pmacctd-debug \
> >  pmacct/pmacctd:latest
> >
> > Contents of pmacctd.conf:
> >  daemonize: false
> >  snaplen: 1000
> >  pcap_interfaces_map: /etc/pmacct/pcap-itf.conf
> >  aggregate: src_host, dst_host, src_port, dst_port, proto, class
> >  plugins: print
> >  print_output: json
> >  print_output_file: /var/pmacct/captures/capture-%Y%m%d_%H%M.txt
> >  print_output_file_append: true
> >  print_history: 1m
> >  print_history_roundoff: m
> >  print_refresh_time: 5
> >
> > pcap-itf.conf contains all interfaces of the host (as per netstat -i) in
> > the form
> >  ifname=eno2
> > One line each, no other keys/values other than ifname.
> > Possibly important note: There's a VPN (openconnect) constantly running
> > on the host. The VPN's interface is listed in netstat -i and, as such,
> > included in pcap-itf.conf.
> >
> > Starting the container yields this output:
> >  INFO ( default/core ): Promiscuous Mode Accountin