Re: [pmacct-discussion] sfacct feature suggestion - traffic in/out direction
Hi Jordan, Inline: On Thu, Jul 28, 2016 at 12:01:47AM +0300, Jordan wrote: > I mean that when you enable sflow on an interface you cannot > configure ingress/egress option. > It captures both directions while we need only data for ingress traffic. Just curious, which device is this? Never seen such a behaviour and it looks wrong to me as it would lead to duplicates as soon as you enable sFlow on a second port. > There are two major problems with your solution. I think /direction > /is not a valid sfacct key and we already use pretagging(both > tag,tag2) for other purposes. I think you have three main options: 1) let your device export ingress- only or egress-only but not both; 2) filter duplicates/unwanted in pmacct: you can do that via pre_tag_map, as Mario was suggesting; you may set labels rather than tags since labels can be stacked, then you can filter on one of the labels in the stack; it may turn easier than doing math ops against numerical tags; 3) log all down to the backend and clean data yourself as part of your post-processing. Problem with #2 and #3 is how to identify ingress/egress samples as sFlow Flow Samples, afaik, do not carry information about direction (that is why pmacct can't help and the 'direction' keyword does not apply to sFlow). My feeling is, maybe also the most obvious solution, you want to solve this with #1. Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] sfacct feature suggestion - traffic in/out direction
Hello, I mean that when you enable sflow on an interface you cannot configure ingress/egress option. It captures both directions while we need only data for ingress traffic. There are two major problems with your solution. I think /direction /is not a valid sfacct key and we already use pretagging(both tag,tag2) for other purposes. Regards, On 07/27/2016 06:27 PM, Jentsch, Mario wrote: Hi Jordan, not sure what you mean with “equipment that cannot separate inbound/outbound traffic” but as long as you have /direction/ in your flow data you can add a pre-tag map like /!/ /! tag=1 - inbound IPv4 traffic/ /! tag=2 - outbound IPv4 traffic/ /! tag=3 - inbound IPv6 traffic/ /! tag=4 - outbound IPv6 traffic/ /!/ /set_tag=1 ip=0.0.0.0/0 direction=0 filter='ip'/ /set_tag=2 ip=0.0.0.0/0 direction=1 filter='ip'/ /set_tag=3 ip=0.0.0.0/0 direction=0 filter='ip6'/ /set_tag=4 ip=0.0.0.0/0 direction=1 filter='ip6'/ /set_tag=0 ip=0.0.0.0/0/ /!/ and filter e.g. the ingress flows with /!/ /pre_tag_filter[ingress]: 1,3/ /aggregate[ingress]: …/ /!/ Regards, Mario *From:*pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] *On Behalf Of *Jordan *Sent:* Wednesday, July 27, 2016 5:06 PM *To:* pmacct-discussion@pmacct.net *Subject:* [pmacct-discussion] sfacct feature suggestion - traffic in/out direction Hello, We're having issues with equipment that cannot separate inbound/outbound traffic using sflow V5. Looking at the sflow V5 protocol it's having the following fields. Usually they match the snmp interface indexes. /source_id/ /interface input/ /interface output/ What I suggest as a new feature are the following cases: *Match_all_traffic*(by default) - matches all packets (as it currently works) *Match_input_only *- (if /source_id==interface input /permit, else drop the rest of the samples) *Match_output_only* - (if/source_id==interface output/permit, else drop the rest of the samples) Please let me know if such feature would be possible? If there is any other already implemented solution I would be glad to know. Thank you in advance. Best Regards, -- --- Jordan ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] sfacct feature suggestion - traffic in/out direction
Hi Jordan, not sure what you mean with “equipment that cannot separate inbound/outbound traffic” but as long as you have direction in your flow data you can add a pre-tag map like ! ! tag=1 - inbound IPv4 traffic ! tag=2 - outbound IPv4 traffic ! tag=3 - inbound IPv6 traffic ! tag=4 - outbound IPv6 traffic ! set_tag=1 ip=0.0.0.0/0 direction=0 filter='ip' set_tag=2 ip=0.0.0.0/0 direction=1 filter='ip' set_tag=3 ip=0.0.0.0/0 direction=0 filter='ip6' set_tag=4 ip=0.0.0.0/0 direction=1 filter='ip6' set_tag=0 ip=0.0.0.0/0 ! and filter e.g. the ingress flows with ! pre_tag_filter[ingress]: 1,3 aggregate[ingress]: … ! Regards, Mario From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] On Behalf Of Jordan Sent: Wednesday, July 27, 2016 5:06 PM To: pmacct-discussion@pmacct.net Subject: [pmacct-discussion] sfacct feature suggestion - traffic in/out direction Hello, We're having issues with equipment that cannot separate inbound/outbound traffic using sflow V5. Looking at the sflow V5 protocol it's having the following fields. Usually they match the snmp interface indexes. source_id interface input interface output What I suggest as a new feature are the following cases: Match_all_traffic(by default) - matches all packets (as it currently works) Match_input_only - (ifsource_id==interface inputpermit, else drop the rest of the samples) Match_output_only - (ifsource_id==interface outputpermit, else drop the rest of the samples) Please let me know if such feature would be possible? If there is any other already implemented solution I would be glad to know. Thank you in advance. Best Regards, -- --- Jordan ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] sfacct feature suggestion - traffic in/out direction
Hello, We're having issues with equipment that cannot separate inbound/outbound traffic using sflow V5. Looking at the sflow V5 protocol it's having the following fields. Usually they match the snmp interface indexes. /source_id/ /interface input/ /interface output/ What I suggest as a new feature are the following cases: *Match_all_traffic*(by default) - matches all packets (as it currently works) *Match_input_onl**y *- (if /source_id==//interface input /permit, else drop the rest of the samples) *Match_output_only* - (if///source_id==//interface//output/permit, else drop the rest of the samples) Please let me know if such feature would be possible? If there is any other already implemented solution I would be glad to know. Thank you in advance. Best Regards, -- --- Jordan ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
