From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <denyago@rambler.ru>
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on sa.int.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,SPF_PASS
	autolearn=ham version=3.2.5
Message-ID: <4ABB3B43.1060706@rambler.ru>
Date: Thu, 24 Sep 2009 12:26:27 +0300
From: =?UTF-8?B?0JTQtdC90LjRgSDQr9Cz0L7RhNCw0YDQvtCy?=
 <denyago@rambler.ru>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.1.3pre) Gecko/20090817 Lightning/1.0pre Thunderbird/3.0b4pre
MIME-Version: 1.0
To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
Content-Type: multipart/mixed; boundary="------------030606010101030405090804"
Subject: [Sysadmins] =?utf-8?b?aXBjYWQg0Lgg0LjQvdC00LXQutGB0Ysg0LjQvdGC?=
 =?utf-8?b?0LXRgNGE0LXQudGB0L7Qsg==?=
X-BeenThere: sysadmins@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux sysadmin discuss <sysadmins@lists.altlinux.org>
List-Id: ALT Linux sysadmin discuss <sysadmins.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/sysadmins>
List-Post: <mailto:sysadmins@lists.altlinux.org>
List-Help: <mailto:sysadmins-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/sysadmins>,
	<mailto:sysadmins-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2009 09:26:44 -0000
Archived-At: <http://lore.altlinux.org/sysadmins/4ABB3B43.1060706@rambler.ru/>
List-Archive: <http://lore.altlinux.org/sysadmins/>

This is a multi-part message in MIME format.
--------------030606010101030405090804
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Доброго времени суток.

Использую ipcad (ipcad-3.7.3-alt0.M40.1, x64) как netflow сенсор. В 
маршрутизаторе есть несколько интерфейсов, конфиг ipcad:

capture-ports disable;
interface veth1;
interface tun0;
aggregate 10.8.0.0/24 strip 32;
aggregate 30000-65535   into 65535;     /* Aggregate wildly */
netflow export destination 10.3.0.17 5556;
netflow export version 5;
netflow timeout active 30;
netflow timeout inactive 15;
netflow engine-type 73;
netflow engine-id 1;
netflow ifclass veth mapto 0-99;                # i.e., "eth1"->1, "eth3"->3
netflow ifclass fxp mapto 0-99;         # i.e., "fxp4"->4, "fxp0"->0
netflow ifclass ppp mapto 100-199;      # i.e., "ppp32"->532, "ppp7"->507
netflow ifclass gre mapto 200-299;
netflow ifclass tun mapto 300-399;      # i.e., "tun0"->300
rsh off;
dumpfile = ipcad.dump;  # The file is inside chroot(), see below...
chroot = /var/lib/ipcad;
pidfile = ipcad.pid;
memory_limit = 1m;

В логах, всё _почти_ правильно:
Sep 23 19:20:19 calcium ipcad: Opening veth1... [LCap]
Sep 23 19:20:19 calcium ipcad: Initialized as 1
                                                      ^^^^^^^^^^^ -> не 
понятно, это он о SNMP?
Sep 23 19:20:19 calcium ipcad: Opening tun0... [LCap]
Sep 23 19:20:19 calcium ipcad: Initialized as 2
                                                      ^^^^^^^^^^^ -> не 
понятно, это он о SNMP?
Sep 23 19:20:19 calcium ipcad: Configured NetFlow destination at 
10.3.0.17:5556
Sep 23 19:20:19 calcium ipcad: Warning: Option at line 189 has no effect
Sep 23 19:20:19 calcium ipcad: Aggregate network 10.8.0.0/255.255.255.0 
-> 255.255.255.255
Sep 23 19:20:19 calcium ipcad: Aggregate ports 30000..65535 into 65535
Sep 23 19:20:19 calcium ipcad: Daemonized.
Sep 23 19:20:19 calcium ipcad: ipcad startup succeeded

Захватывают трафик так:
flow-capture -b big -p /var/run/flowtool_vr.pid -w 
/var/www/apache2/cgi-bin/FlowViewer_3.3.1/flows/vpn_router -n 287 -N 3 
-S 5 0/0/5556

Пробую посмортеть отчёт:
flow-cat ./flows/vpn_router/2009/2009-09/2009-09-24/ft-v05.2009-09-24.* 
| flow-print -f 5 | head
Start                       End                         Sif       
SrcIPaddress   SrcP  DIf   DstIPaddress  DstP P   Fl Pkts     Octets
0923.23:59:56.578 0923.23:59:56.578 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:00:11.948 0924.00:00:11.948 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:00:27.315 0924.00:00:27.315 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:00:42.685 0924.00:00:42.685 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:00:58.052 0924.00:00:58.052 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:01:13.422 0924.00:01:13.422 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:01:28.789 0924.00:01:28.789 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100
0924.00:01:44.159 0924.00:01:44.159 65535 10.3.0.6        65535 65535 
10.3.0.17       5556  17  0  1          100

Проблема в том, что для потоков через любой интерфейс Sif = 65535, DIf = 
65535. Для маршрутизатора с бОльшим количеством интерфейсов - 
аналогично. Где же я ошибся? ... или это баг/фича?


--------------030606010101030405090804
Content-Type: text/x-vcard; charset=utf-8;
 name="denyago.vcf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="denyago.vcf"

YmVnaW46dmNhcmQNCmZuOkRlbmlzIFRpbXVyb3ZpY2ggWWFnb2Zhcm92DQpuOllhZ29mYXJv
djtEZW5pcyBUaW11cm92aWNoDQpvcmc6SVRHSVMgTkFTVQ0KYWRyOnJvb20gNjE1OztDaG9r
b2xvdnNraSBibHZkci4sIDEzO0tpZXY7OzAzMTUxO1VrcmFpbmUNCmVtYWlsO2ludGVybmV0
OmRlbnlhZ29AcmFtYmxlci5ydQ0KdGl0bGU6c3lzdGVtIGFkbWluaXN0cmF0b3INCnRlbDt3
b3JrOjgwNDQ1MjAxMjA5DQp0ZWw7Y2VsbDo4MDY2MjkzMzc2MA0Kbm90ZTtxdW90ZWQtcHJp
bnRhYmxlOnhtbXA6IGRlbnlhZ29AZ21haWwuY29tPTBEPTBBPQ0KCXhtbXA6IGRpeWFnb0Bq
YWJiZXIudGUudWENCngtbW96aWxsYS1odG1sOkZBTFNFDQp2ZXJzaW9uOjIuMQ0KZW5kOnZj
YXJkDQoNCg==
--------------030606010101030405090804--