Giters

pmacct / pmacct

pmacct is a small set of multi-purpose passive network monitoring tools [NetFlow IPFIX sFlow libpcap BGP BMP RPKI IGP Streaming Telemetry].

Home Page:http://www.pmacct.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

pmacct doesnt map tcp flags and dscp tags in output Netflows

Purandhar-Krishnamurthy opened this issue · comments

commented

Description
I am unable to get the tcp flags, DSCP mapping values in the output Netflows.

Version
$ pmacctd -V
Promiscuous Mode Accounting Daemon, pmacctd 1.7.8-git [RELEASE]

pmacct is configured and compiled with ''--enable-kafka' '--enable-jansson''

Configuration used:
`pcap_interface: eth1
daemonize: true

pidfile: /var/run/pmacctd-nfprobe-eth2.pid
logfile: /var/log/pmacct/pmacctd-nfprobe-eth2.log

post_tag: 1
aggregate: src_host, dst_host, src_port, dst_port, proto, tos, tcpflags
tos_encode_as_dscp: true
tos_file: /etc/pmacct/tos_file.lst
tcpflags_encode_as_array: true

plugins: nfprobe[a]
nfprobe_receiver[a]: 127.0.0.1:2101
nfprobe_version: 9`

Output Netflows received:
{ "type" : "FLOW", "sampled" : 0, "export_sysid" : 1, "t_first" : "2023-06-24T12:21:28.201", "t_last" : "2023-06-24T12:21:29.415", "proto" : 6, "src4_addr" : "10.x.x.50", "dst4_addr" : "10.y.y.154", "src_port" : 52427, "dst_port" : 443, "fwd_status" : 0, **"tcp_flags" : "...AP.SF",** **"src_tos" : 0,** "in_packets" : 12, "in_bytes" : 1185, "input_snmp" : 0, "output_snmp" : 0, "src_mask" : 0, "dst_mask" : 0, **"dst_tos" : 0,** "direction" : 0, "ip4_router" : "127.0.0.1", "engine_type" : 0, "engine_id" : 0, "t_received" : "2023-06-24T12:27:01.809", "label" : "<none>" }

Here is the tos_file.lst file that i used,
0=Default 8=Best Effort 10=AF11 12=AF12 14=AF13 16=CS1 18=AF21 20=AF22 22=AF23 24=CS2 26=AF31 28=AF32 30=AF33 32=CS3 34=AF41 36=AF42 38=AF43 40=CS4 46=EF 48=CS5 56=CS6

I have tried various formats for this file, like replaced '=' with space, semi colon and colon. Nothing worked.

I was expecting that i would be getting 'src_tos'/dst_tos as Default, but i am getting only the key (0) , not its value (Default).

I would like to know of any configuration issues that I might have made.

Your help/suggestion in this regard is much appreciated.

Thanks,
Purandhar Krishnamurthy

commented

Hi @Purandhar-Krishnamurthy ,

The tos_file is merely a filter. You would have one DSCP value (in your case) of interest per line listed, ie.:

0
8
10
12
14
[ .. ]

Those not filtered in are rolled up in the value 255 that means others. Any value to string substitution you should perform it yourself as part of post-processing - or, of course, an equivalent feature a-la fwd_status_encode_as_string would be more than welcome.

This issue spurs the fact that some better documentation around this and similar files, ie. ports_file, protos_file, etc. should be done.

Paolo