Giters

pmacct / pmacct

pmacct is a small set of multi-purpose passive network monitoring tools [NetFlow IPFIX sFlow libpcap BGP BMP RPKI IGP Streaming Telemetry].

Home Page:http://www.pmacct.net

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

How do we include an aggregate filler for the peer_src_ip parameter?

AnanthGopal opened this issue · comments

commented

Description
Consider the fact that we obtained the data from two separate exporters.
As an example,

  • The first exporter peer source IP address is 1.1.1.1.

  • IP address of the second exporter peer source 1.1.1.2

We configure the PMACCT with RabittMQ, and RabittMQ receives data from the two exporters mentioned above. The data is then captured from RabittMQ and inserted into Postgres. When we insert data into Postgres, we check to see if the peer source IP is 1.1.1.1; otherwise, we skip that record. So the 1.1.1.2 data is unnecessary, yet RabittMQ has those entries. So we intend to use aggregate filter for peer source ip but are unsure how to use peer source ip in aggregate filter.

Below we added some other aggregate filter for protocol, src ip, dst ip . We need to add peer source ip filter
aggregate_filter:(tcp or udp) and not (src net 0.0.0.0 or dst net 255.255.255.255)

Version
Output of nfacctd -V:

`NetFlow Accounting Daemon, nfacctd 1.7.7-git [20211107-0 (https://github.com/pmacct/pmacct/commit/ef37a415504c9c3e6afeaecb2f0cce4eb698e648)]

Arguments:
'--enable-mysql' '--enable-pgsql' '--enable-sqlite3' '--enable-kafka' '--enable-geoipv2' '--enable-jansson' '--enable-rabbitmq' '--enable-nflog' '--enable-ndpi' '--enable-zmq' '--enable-avro' '--enable-serdes' '--enable-redis' '--enable-gnutls' 'AVRO_CFLAGS=-I/usr/local/avro/include' 'AVRO_LIBS=-L/usr/local/avro/lib -lavro' '--enable-l2' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins'

Libs:
cdada 0.3.5
libpcap version 1.8.1
MariaDB 10.3.31
PostgreSQL 110013
sqlite3 3.27.2
rabbimq-c 0.11.0
rdkafka 1.8.2
jansson 2.14
MaxmindDB 1.6.0
ZeroMQ 4.3.2
Redis 1.0.3
GnuTLS 3.6.7
avro-c
serdes
nDPI 3.4.0
netfilter_log

Plugins:
memory
print
nfprobe
sfprobe
tee
mysql
postgresql
sqlite
amqp
kafka

System:
Linux 5.4.17-2136.307.3.1.el8uek.x86_64 #2 SMP Mon May 9 17:29:47 PDT 2022 x86_64

Compiler:
gcc 8.3.0
`

Your help in this is greatly appreciated.

commented

Hi @AnanthGopal ,

You can't use aggregate_filter for this because that one can only filter on portions of the original (or re-constructed) packet and the IP address of the exporter is not part of that. You can however use pre_tag_map and pre_tag_filter for the job. The exporter IP address can be matched in the map using the ip keyword, ie.: set_tag=100 ip=1.1.1.2. The map can be included in the daemon config as pre_tag_map: /path/to/pretag.map. Finally, the tag 100 can be intercepted and excluded as follows: pre_tag_filter[<plugin name>]: -100.

Paolo