Mailing List Archive

Hi Jesse
please see below

On 02/10/2017 02:08 PM, Jesse Alexander wrote:
> First issue:
> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>
> Bytes 12-13, and 14-15 in the flow record
> 12-13 | input | SNMP index of input interface
> 14-15 | output | SNMP index of output interface
> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>
> It appears this has been brought up before, but there isn't a solution mentioned.
> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>
> How do we get cento to correctly report the interface ID?

In the current cento (devel) you can do
--iface-id <in>:<out> | Set input/output interfaceId
in exported flows
where
- interface indexes and (router) MAC/IP addresses
Flag --iface-id is used to specify the SNMP interface identifiers
for emitted flows.
However using --if-networks it is possible to specify an interface
identifier to which
a MAC address or IP network is bound. The syntax of --if-networks is:
<MAC|IP/mask>@<interfaceId> where multiple entries can be separated
by a comma (,).
Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
--if-networks @<filename> where <filename> is a file path containing
the networks
specified using the above format.


>
> Second issue.
> We are seeing tcp traffic reported by cento sourcing and destined to the same IP, which is not physically possible. src_ip = dst_ip = same IP
Also fixed

Please upgrade

Regards Luca
>
> Any ideas how to prevent this?
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop


_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Hello,
following and older thread:

On 10.02.2017 14:54, Luca Deri wrote:
> Hi Jesse
> please see below
>
> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>> First issue:
>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>
>> Bytes 12-13, and 14-15 in the flow record
>> 12-13 | input | SNMP index of input interface
>> 14-15 | output | SNMP index of output interface
>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>
>> It appears this has been brought up before, but there isn't a solution mentioned.
>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>
>> How do we get cento to correctly report the interface ID?
>
> In the current cento (devel) you can do
> --iface-id <in>:<out> | Set input/output interfaceId
> in exported flows
> where
> - interface indexes and (router) MAC/IP addresses
> Flag --iface-id is used to specify the SNMP interface identifiers
> for emitted flows.
> However using --if-networks it is possible to specify an interface
> identifier to which
> a MAC address or IP network is bound. The syntax of --if-networks is:
> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
> by a comma (,).
> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
> --if-networks @<filename> where <filename> is a file path containing
> the networks
> specified using the above format.
>
It doesn't work for me. I have the same issue as Jesse - all flows from
cento are exported with if interface 1, out interface 2.

I mirror traffic from router to the following two interfaces on cento box:

3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
state UP mode DEFAULT qlen 1000
link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff

I tried to set the interface indexes to 5 and 6 using:
--if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"

However, I still see only 1 for incomming and 2 for outgoing index in
flow data:

Flow Record:
Flags = 0x00 FLOW, Unsampled
<snip>
input = 1
output = 2

Running cento --version
v.1.3.171116

Any idea what I am doing wrong?

Thanks,
Matej

Matej,
can you please share the flow command line you are using?

Luca

> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>
> Hello,
> following and older thread:
>
> On 10.02.2017 14:54, Luca Deri wrote:
>> Hi Jesse
>> please see below
>>
>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>> First issue:
>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>
>>> Bytes 12-13, and 14-15 in the flow record
>>> 12-13 | input | SNMP index of input interface
>>> 14-15 | output | SNMP index of output interface
>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>
>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>
>>> How do we get cento to correctly report the interface ID?
>>
>> In the current cento (devel) you can do
>> --iface-id <in>:<out> | Set input/output interfaceId
>> in exported flows
>> where
>> - interface indexes and (router) MAC/IP addresses
>> Flag --iface-id is used to specify the SNMP interface identifiers
>> for emitted flows.
>> However using --if-networks it is possible to specify an interface
>> identifier to which
>> a MAC address or IP network is bound. The syntax of --if-networks is:
>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>> by a comma (,).
>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>> --if-networks @<filename> where <filename> is a file path containing
>> the networks
>> specified using the above format.
>>
> It doesn't work for me. I have the same issue as Jesse - all flows from
> cento are exported with if interface 1, out interface 2.
>
> I mirror traffic from router to the following two interfaces on cento box:
>
> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
> state UP mode DEFAULT qlen 1000
> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
> state UP mode DEFAULT qlen 1000
> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>
> I tried to set the interface indexes to 5 and 6 using:
> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>
> However, I still see only 1 for incomming and 2 for outgoing index in
> flow data:
>
> Flow Record:
> Flags = 0x00 FLOW, Unsampled
> <snip>
> input = 1
> output = 2
>
> Running cento --version
> v.1.3.171116
>
> Any idea what I am doing wrong?
>
> Thanks,
> Matej
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Hello Luca,
I tried to use the following cento.conf:

# cat /etc/cento/cento.conf
-p=/var/run/cento.pid
-t=30
-d=20
-9=x.x.x.x:9998
-i=fge1
-i=fge2
-g=0,1
-G=2,3
-D=0
--syslog=cento
-b
--if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6

M.

On 20.11.2017 12:17, Luca Deri wrote:
> Matej,
> can you please share the flow command line you are using?
>
> Luca
>
>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>
>> Hello,
>> following and older thread:
>>
>> On 10.02.2017 14:54, Luca Deri wrote:
>>> Hi Jesse
>>> please see below
>>>
>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>> First issue:
>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>
>>>> Bytes 12-13, and 14-15 in the flow record
>>>> 12-13 | input | SNMP index of input interface
>>>> 14-15 | output | SNMP index of output interface
>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>
>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>
>>>> How do we get cento to correctly report the interface ID?
>>>
>>> In the current cento (devel) you can do
>>> --iface-id <in>:<out> | Set input/output interfaceId
>>> in exported flows
>>> where
>>> - interface indexes and (router) MAC/IP addresses
>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>> for emitted flows.
>>> However using --if-networks it is possible to specify an interface
>>> identifier to which
>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>> by a comma (,).
>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>> --if-networks @<filename> where <filename> is a file path containing
>>> the networks
>>> specified using the above format.
>>>
>> It doesn't work for me. I have the same issue as Jesse - all flows from
>> cento are exported with if interface 1, out interface 2.
>>
>> I mirror traffic from router to the following two interfaces on cento box:
>>
>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>> state UP mode DEFAULT qlen 1000
>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>> state UP mode DEFAULT qlen 1000
>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>
>> I tried to set the interface indexes to 5 and 6 using:
>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>
>> However, I still see only 1 for incomming and 2 for outgoing index in
>> flow data:
>>
>> Flow Record:
>> Flags = 0x00 FLOW, Unsampled
>> <snip>
>> input = 1
>> output = 2
>>
>> Running cento --version
>> v.1.3.171116
>>
>> Any idea what I am doing wrong?
>>
>> Thanks,
>> Matej
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>

Hi Mat?j,

please change

D=0
--syslog=cento
-b *<=== REMOVE*
--if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6


(remove -b)

and it will work

Regards Luca

On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
> Hello Luca,
> I tried to use the following cento.conf:
>
> # cat /etc/cento/cento.conf
> -p=/var/run/cento.pid
> -t=30
> -d=20
> -9=x.x.x.x:9998
> -i=fge1
> -i=fge2
> -g=0,1
> -G=2,3
> -D=0
> --syslog=cento
> -b
> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>
> M.
>
> On 20.11.2017 12:17, Luca Deri wrote:
>> Matej,
>> can you please share the flow command line you are using?
>>
>> Luca
>>
>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>
>>> Hello,
>>> following and older thread:
>>>
>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>> Hi Jesse
>>>> please see below
>>>>
>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>> First issue:
>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>
>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>> 12-13 | input | SNMP index of input interface
>>>>> 14-15 | output | SNMP index of output interface
>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>
>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>
>>>>> How do we get cento to correctly report the interface ID?
>>>> In the current cento (devel) you can do
>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>> in exported flows
>>>> where
>>>> - interface indexes and (router) MAC/IP addresses
>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>> for emitted flows.
>>>> However using --if-networks it is possible to specify an interface
>>>> identifier to which
>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>> by a comma (,).
>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>> --if-networks @<filename> where <filename> is a file path containing
>>>> the networks
>>>> specified using the above format.
>>>>
>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>> cento are exported with if interface 1, out interface 2.
>>>
>>> I mirror traffic from router to the following two interfaces on cento box:
>>>
>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>> state UP mode DEFAULT qlen 1000
>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>> state UP mode DEFAULT qlen 1000
>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>
>>> I tried to set the interface indexes to 5 and 6 using:
>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>
>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>> flow data:
>>>
>>> Flow Record:
>>> Flags = 0x00 FLOW, Unsampled
>>> <snip>
>>> input = 1
>>> output = 2
>>>
>>> Running cento --version
>>> v.1.3.171116
>>>
>>> Any idea what I am doing wrong?
>>>
>>> Thanks,
>>> Matej
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Hello Luca,
hm, I don't see any difference. I tried to run cento from command line
using the following command:

cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
--syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6

fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
However, I still see input and output interface set to 1 and 2.

Tried also with --if-networks @cento-networks
# cat cento-networks
68:05:CA:34:89:C0@5

But without success.

M.

On 21.11.2017 14:13, Luca Deri wrote:
> Hi Mat?j,
>
> please change
>
> D=0
> --syslog=cento
> -b *<=== REMOVE*
> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>
>
> (remove -b)
>
> and it will work
>
> Regards Luca
>
> On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
>> Hello Luca,
>> I tried to use the following cento.conf:
>>
>> # cat /etc/cento/cento.conf
>> -p=/var/run/cento.pid
>> -t=30
>> -d=20
>> -9=x.x.x.x:9998
>> -i=fge1
>> -i=fge2
>> -g=0,1
>> -G=2,3
>> -D=0
>> --syslog=cento
>> -b
>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>
>> M.
>>
>> On 20.11.2017 12:17, Luca Deri wrote:
>>> Matej,
>>> can you please share the flow command line you are using?
>>>
>>> Luca
>>>
>>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>>
>>>> Hello,
>>>> following and older thread:
>>>>
>>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>>> Hi Jesse
>>>>> please see below
>>>>>
>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>>> First issue:
>>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>>
>>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>>> 12-13 | input | SNMP index of input interface
>>>>>> 14-15 | output | SNMP index of output interface
>>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>>
>>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>>
>>>>>> How do we get cento to correctly report the interface ID?
>>>>> In the current cento (devel) you can do
>>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>>> in exported flows
>>>>> where
>>>>> - interface indexes and (router) MAC/IP addresses
>>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>>> for emitted flows.
>>>>> However using --if-networks it is possible to specify an interface
>>>>> identifier to which
>>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>>> by a comma (,).
>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>>> --if-networks @<filename> where <filename> is a file path containing
>>>>> the networks
>>>>> specified using the above format.
>>>>>
>>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>>> cento are exported with if interface 1, out interface 2.
>>>>
>>>> I mirror traffic from router to the following two interfaces on cento box:
>>>>
>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>> state UP mode DEFAULT qlen 1000
>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>> state UP mode DEFAULT qlen 1000
>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>>
>>>> I tried to set the interface indexes to 5 and 6 using:
>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>>
>>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>>> flow data:
>>>>
>>>> Flow Record:
>>>> Flags = 0x00 FLOW, Unsampled
>>>> <snip>
>>>> input = 1
>>>> output = 2
>>>>
>>>> Running cento --version
>>>> v.1.3.171116
>>>>
>>>> Any idea what I am doing wrong?
>>>>
>>>> Thanks,
>>>> Matej
>>>>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> Ntop@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>

Mat?j,
the problem of -b is that the rest of the CLI was not parsed.

What type of traffic did you attach to fge1? Is traffic
originated/received by the machine or is traffic mirrored to it? Can you
please check this?

Thanks Luca
 
On 11/23/2017 09:42 PM, Mat?j Grégr wrote:
> Hello Luca,
> hm, I don't see any difference. I tried to run cento from command line
> using the following command:
>
> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>
> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
> However, I still see input and output interface set to 1 and 2.
>
> Tried also with --if-networks @cento-networks
> # cat cento-networks
> 68:05:CA:34:89:C0@5
>
> But without success.
>
> M.
>
> On 21.11.2017 14:13, Luca Deri wrote:
>> Hi Mat?j,
>>
>> please change
>>
>> D=0
>> --syslog=cento
>> -b *<=== REMOVE*
>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>
>>
>> (remove -b)
>>
>> and it will work
>>
>> Regards Luca
>>
>> On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
>>> Hello Luca,
>>> I tried to use the following cento.conf:
>>>
>>> # cat /etc/cento/cento.conf
>>> -p=/var/run/cento.pid
>>> -t=30
>>> -d=20
>>> -9=x.x.x.x:9998
>>> -i=fge1
>>> -i=fge2
>>> -g=0,1
>>> -G=2,3
>>> -D=0
>>> --syslog=cento
>>> -b
>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>
>>> M.
>>>
>>> On 20.11.2017 12:17, Luca Deri wrote:
>>>> Matej,
>>>> can you please share the flow command line you are using?
>>>>
>>>> Luca
>>>>
>>>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>>>
>>>>> Hello,
>>>>> following and older thread:
>>>>>
>>>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>>>> Hi Jesse
>>>>>> please see below
>>>>>>
>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>>>> First issue:
>>>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>>>
>>>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>>>> 12-13 | input | SNMP index of input interface
>>>>>>> 14-15 | output | SNMP index of output interface
>>>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>>>
>>>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>>>
>>>>>>> How do we get cento to correctly report the interface ID?
>>>>>> In the current cento (devel) you can do
>>>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>>>> in exported flows
>>>>>> where
>>>>>> - interface indexes and (router) MAC/IP addresses
>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>>>> for emitted flows.
>>>>>> However using --if-networks it is possible to specify an interface
>>>>>> identifier to which
>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>>>> by a comma (,).
>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>>>> --if-networks @<filename> where <filename> is a file path containing
>>>>>> the networks
>>>>>> specified using the above format.
>>>>>>
>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>>>> cento are exported with if interface 1, out interface 2.
>>>>>
>>>>> I mirror traffic from router to the following two interfaces on cento box:
>>>>>
>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>> state UP mode DEFAULT qlen 1000
>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>> state UP mode DEFAULT qlen 1000
>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>>>
>>>>> I tried to set the interface indexes to 5 and 6 using:
>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>>>
>>>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>>>> flow data:
>>>>>
>>>>> Flow Record:
>>>>> Flags = 0x00 FLOW, Unsampled
>>>>> <snip>
>>>>> input = 1
>>>>> output = 2
>>>>>
>>>>> Running cento --version
>>>>> v.1.3.171116
>>>>>
>>>>> Any idea what I am doing wrong?
>>>>>
>>>>> Thanks,
>>>>> Matej
>>>>>
>>>>> _______________________________________________
>>>>> Ntop mailing list
>>>>> Ntop@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> Ntop@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>>
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Hi Luca,
it's mirrored traffic. Does --if-networks option apply only for
traffic originated/received by the machine?

M.

On 12/01/2017 10:40 AM, Luca Deri wrote:
> Mat?j,
> the problem of -b is that the rest of the CLI was not parsed.
>
> What type of traffic did you attach to fge1? Is traffic
> originated/received by the machine or is traffic mirrored to it? Can you
> please check this?
>
> Thanks Luca
>  
> On 11/23/2017 09:42 PM, Mat?j Grégr wrote:
>> Hello Luca,
>> hm, I don't see any difference. I tried to run cento from command line
>> using the following command:
>>
>> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
>> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>
>> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
>> However, I still see input and output interface set to 1 and 2.
>>
>> Tried also with --if-networks @cento-networks
>> # cat cento-networks
>> 68:05:CA:34:89:C0@5
>>
>> But without success.
>>
>> M.
>>
>> On 21.11.2017 14:13, Luca Deri wrote:
>>> Hi Mat?j,
>>>
>>> please change
>>>
>>> D=0
>>> --syslog=cento
>>> -b *<=== REMOVE*
>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>
>>>
>>> (remove -b)
>>>
>>> and it will work
>>>
>>> Regards Luca
>>>
>>> On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
>>>> Hello Luca,
>>>> I tried to use the following cento.conf:
>>>>
>>>> # cat /etc/cento/cento.conf
>>>> -p=/var/run/cento.pid
>>>> -t=30
>>>> -d=20
>>>> -9=x.x.x.x:9998
>>>> -i=fge1
>>>> -i=fge2
>>>> -g=0,1
>>>> -G=2,3
>>>> -D=0
>>>> --syslog=cento
>>>> -b
>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>
>>>> M.
>>>>
>>>> On 20.11.2017 12:17, Luca Deri wrote:
>>>>> Matej,
>>>>> can you please share the flow command line you are using?
>>>>>
>>>>> Luca
>>>>>
>>>>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>>>>
>>>>>> Hello,
>>>>>> following and older thread:
>>>>>>
>>>>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>>>>> Hi Jesse
>>>>>>> please see below
>>>>>>>
>>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>>>>> First issue:
>>>>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>>>>
>>>>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>>>>> 12-13 | input | SNMP index of input interface
>>>>>>>> 14-15 | output | SNMP index of output interface
>>>>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>>>>
>>>>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>>>>
>>>>>>>> How do we get cento to correctly report the interface ID?
>>>>>>> In the current cento (devel) you can do
>>>>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>>>>> in exported flows
>>>>>>> where
>>>>>>> - interface indexes and (router) MAC/IP addresses
>>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>>>>> for emitted flows.
>>>>>>> However using --if-networks it is possible to specify an interface
>>>>>>> identifier to which
>>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>>>>> by a comma (,).
>>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>>>>> --if-networks @<filename> where <filename> is a file path containing
>>>>>>> the networks
>>>>>>> specified using the above format.
>>>>>>>
>>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>>>>> cento are exported with if interface 1, out interface 2.
>>>>>>
>>>>>> I mirror traffic from router to the following two interfaces on cento box:
>>>>>>
>>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>> state UP mode DEFAULT qlen 1000
>>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>> state UP mode DEFAULT qlen 1000
>>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>>>>
>>>>>> I tried to set the interface indexes to 5 and 6 using:
>>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>>>>
>>>>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>>>>> flow data:
>>>>>>
>>>>>> Flow Record:
>>>>>> Flags = 0x00 FLOW, Unsampled
>>>>>> <snip>
>>>>>> input = 1
>>>>>> output = 2
>>>>>>
>>>>>> Running cento --version
>>>>>> v.1.3.171116
>>>>>>
>>>>>> Any idea what I am doing wrong?
>>>>>>
>>>>>> Thanks,
>>>>>> Matej
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop mailing list
>>>>>> Ntop@listgateway.unipi.it
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>
>>>>> _______________________________________________
>>>>> Ntop mailing list
>>>>> Ntop@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>
>>>>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> Ntop@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>

Matej
it applies to the MAC address of the packets received by cento, not to the MAC of the NIC receiving them

Luca


> On 1 Dec 2017, at 10:55, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>
> Hi Luca,
> it's mirrored traffic. Does --if-networks option apply only for
> traffic originated/received by the machine?
>
> M.
>
> On 12/01/2017 10:40 AM, Luca Deri wrote:
>> Mat?j,
>> the problem of -b is that the rest of the CLI was not parsed.
>>
>> What type of traffic did you attach to fge1? Is traffic
>> originated/received by the machine or is traffic mirrored to it? Can you
>> please check this?
>>
>> Thanks Luca
>>
>> On 11/23/2017 09:42 PM, Mat?j Grégr wrote:
>>> Hello Luca,
>>> hm, I don't see any difference. I tried to run cento from command line
>>> using the following command:
>>>
>>> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
>>> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>
>>> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
>>> However, I still see input and output interface set to 1 and 2.
>>>
>>> Tried also with --if-networks @cento-networks
>>> # cat cento-networks
>>> 68:05:CA:34:89:C0@5
>>>
>>> But without success.
>>>
>>> M.
>>>
>>> On 21.11.2017 14:13, Luca Deri wrote:
>>>> Hi Mat?j,
>>>>
>>>> please change
>>>>
>>>> D=0
>>>> --syslog=cento
>>>> -b *<=== REMOVE*
>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>
>>>>
>>>> (remove -b)
>>>>
>>>> and it will work
>>>>
>>>> Regards Luca
>>>>
>>>> On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
>>>>> Hello Luca,
>>>>> I tried to use the following cento.conf:
>>>>>
>>>>> # cat /etc/cento/cento.conf
>>>>> -p=/var/run/cento.pid
>>>>> -t=30
>>>>> -d=20
>>>>> -9=x.x.x.x:9998
>>>>> -i=fge1
>>>>> -i=fge2
>>>>> -g=0,1
>>>>> -G=2,3
>>>>> -D=0
>>>>> --syslog=cento
>>>>> -b
>>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>>
>>>>> M.
>>>>>
>>>>> On 20.11.2017 12:17, Luca Deri wrote:
>>>>>> Matej,
>>>>>> can you please share the flow command line you are using?
>>>>>>
>>>>>> Luca
>>>>>>
>>>>>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>> following and older thread:
>>>>>>>
>>>>>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>>>>>> Hi Jesse
>>>>>>>> please see below
>>>>>>>>
>>>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>>>>>> First issue:
>>>>>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>>>>>
>>>>>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>>>>>> 12-13 | input | SNMP index of input interface
>>>>>>>>> 14-15 | output | SNMP index of output interface
>>>>>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>>>>>
>>>>>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>>>>>
>>>>>>>>> How do we get cento to correctly report the interface ID?
>>>>>>>> In the current cento (devel) you can do
>>>>>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>>>>>> in exported flows
>>>>>>>> where
>>>>>>>> - interface indexes and (router) MAC/IP addresses
>>>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>>>>>> for emitted flows.
>>>>>>>> However using --if-networks it is possible to specify an interface
>>>>>>>> identifier to which
>>>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>>>>>> by a comma (,).
>>>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>>>>>> --if-networks @<filename> where <filename> is a file path containing
>>>>>>>> the networks
>>>>>>>> specified using the above format.
>>>>>>>>
>>>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>>>>>> cento are exported with if interface 1, out interface 2.
>>>>>>>
>>>>>>> I mirror traffic from router to the following two interfaces on cento box:
>>>>>>>
>>>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>>> state UP mode DEFAULT qlen 1000
>>>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>>> state UP mode DEFAULT qlen 1000
>>>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>>>>>
>>>>>>> I tried to set the interface indexes to 5 and 6 using:
>>>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>>>>>
>>>>>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>>>>>> flow data:
>>>>>>>
>>>>>>> Flow Record:
>>>>>>> Flags = 0x00 FLOW, Unsampled
>>>>>>> <snip>
>>>>>>> input = 1
>>>>>>> output = 2
>>>>>>>
>>>>>>> Running cento --version
>>>>>>> v.1.3.171116
>>>>>>>
>>>>>>> Any idea what I am doing wrong?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Matej
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ntop mailing list
>>>>>>> Ntop@listgateway.unipi.it
>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop mailing list
>>>>>> Ntop@listgateway.unipi.it
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop mailing list
>>>>> Ntop@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> Ntop@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>
>>>
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>>
>>
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Matej
it applies to the MAC address of the packets received by cento, not to the MAC of the NIC receiving them

Luca


> On 1 Dec 2017, at 10:55, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>
> Hi Luca,
> it's mirrored traffic. Does --if-networks option apply only for
> traffic originated/received by the machine?
>
> M.
>
> On 12/01/2017 10:40 AM, Luca Deri wrote:
>> Mat?j,
>> the problem of -b is that the rest of the CLI was not parsed.
>>
>> What type of traffic did you attach to fge1? Is traffic
>> originated/received by the machine or is traffic mirrored to it? Can you
>> please check this?
>>
>> Thanks Luca
>>
>> On 11/23/2017 09:42 PM, Mat?j Grégr wrote:
>>> Hello Luca,
>>> hm, I don't see any difference. I tried to run cento from command line
>>> using the following command:
>>>
>>> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
>>> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>
>>> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
>>> However, I still see input and output interface set to 1 and 2.
>>>
>>> Tried also with --if-networks @cento-networks
>>> # cat cento-networks
>>> 68:05:CA:34:89:C0@5
>>>
>>> But without success.
>>>
>>> M.
>>>
>>> On 21.11.2017 14:13, Luca Deri wrote:
>>>> Hi Mat?j,
>>>>
>>>> please change
>>>>
>>>> D=0
>>>> --syslog=cento
>>>> -b *<=== REMOVE*
>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>
>>>>
>>>> (remove -b)
>>>>
>>>> and it will work
>>>>
>>>> Regards Luca
>>>>
>>>> On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
>>>>> Hello Luca,
>>>>> I tried to use the following cento.conf:
>>>>>
>>>>> # cat /etc/cento/cento.conf
>>>>> -p=/var/run/cento.pid
>>>>> -t=30
>>>>> -d=20
>>>>> -9=x.x.x.x:9998
>>>>> -i=fge1
>>>>> -i=fge2
>>>>> -g=0,1
>>>>> -G=2,3
>>>>> -D=0
>>>>> --syslog=cento
>>>>> -b
>>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>>
>>>>> M.
>>>>>
>>>>> On 20.11.2017 12:17, Luca Deri wrote:
>>>>>> Matej,
>>>>>> can you please share the flow command line you are using?
>>>>>>
>>>>>> Luca
>>>>>>
>>>>>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>>>>>
>>>>>>> Hello,
>>>>>>> following and older thread:
>>>>>>>
>>>>>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>>>>>> Hi Jesse
>>>>>>>> please see below
>>>>>>>>
>>>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>>>>>> First issue:
>>>>>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>>>>>
>>>>>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>>>>>> 12-13 | input | SNMP index of input interface
>>>>>>>>> 14-15 | output | SNMP index of output interface
>>>>>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>>>>>
>>>>>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>>>>>
>>>>>>>>> How do we get cento to correctly report the interface ID?
>>>>>>>> In the current cento (devel) you can do
>>>>>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>>>>>> in exported flows
>>>>>>>> where
>>>>>>>> - interface indexes and (router) MAC/IP addresses
>>>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>>>>>> for emitted flows.
>>>>>>>> However using --if-networks it is possible to specify an interface
>>>>>>>> identifier to which
>>>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>>>>>> by a comma (,).
>>>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>>>>>> --if-networks @<filename> where <filename> is a file path containing
>>>>>>>> the networks
>>>>>>>> specified using the above format.
>>>>>>>>
>>>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>>>>>> cento are exported with if interface 1, out interface 2.
>>>>>>>
>>>>>>> I mirror traffic from router to the following two interfaces on cento box:
>>>>>>>
>>>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>>> state UP mode DEFAULT qlen 1000
>>>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>>> state UP mode DEFAULT qlen 1000
>>>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>>>>>
>>>>>>> I tried to set the interface indexes to 5 and 6 using:
>>>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>>>>>
>>>>>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>>>>>> flow data:
>>>>>>>
>>>>>>> Flow Record:
>>>>>>> Flags = 0x00 FLOW, Unsampled
>>>>>>> <snip>
>>>>>>> input = 1
>>>>>>> output = 2
>>>>>>>
>>>>>>> Running cento --version
>>>>>>> v.1.3.171116
>>>>>>>
>>>>>>> Any idea what I am doing wrong?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Matej
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ntop mailing list
>>>>>>> Ntop@listgateway.unipi.it
>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop mailing list
>>>>>> Ntop@listgateway.unipi.it
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop mailing list
>>>>> Ntop@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> Ntop@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>
>>>
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>>
>>
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

Hi Luca,
ok, thanks. I totally misunderstood the option then. --iface-id is
maybe more suitable for my needs. However, I have to probably split
cento to two instances as I don't see how I could specific iface-id if
run only one instance of cento. e.g. cento -i fge1 -i fge2. But I think
that cento -i fge1 --iface-id 5:7 and cento -i fge2 --iface-id 6:7 will
work.

M.

On 01.12.2017 15:08, Luca Deri wrote:
> Matej
> it applies to the MAC address of the packets received by cento, not to the MAC of the NIC receiving them
>
> Luca
>
>
>> On 1 Dec 2017, at 10:55, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>
>> Hi Luca,
>> it's mirrored traffic. Does --if-networks option apply only for
>> traffic originated/received by the machine?
>>
>> M.
>>
>> On 12/01/2017 10:40 AM, Luca Deri wrote:
>>> Mat?j,
>>> the problem of -b is that the rest of the CLI was not parsed.
>>>
>>> What type of traffic did you attach to fge1? Is traffic
>>> originated/received by the machine or is traffic mirrored to it? Can you
>>> please check this?
>>>
>>> Thanks Luca
>>>
>>> On 11/23/2017 09:42 PM, Mat?j Grégr wrote:
>>>> Hello Luca,
>>>> hm, I don't see any difference. I tried to run cento from command line
>>>> using the following command:
>>>>
>>>> cento -p /var/run/cento-fge1.pid -t 30 -d 20 -9 x.x.x.x:9999 -i fge1
>>>> --syslog cento -D 0 --if-networks 68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>
>>>> fge1 driver has MAC 68:05:ca:34:89:c0, thus it should be set to 5.
>>>> However, I still see input and output interface set to 1 and 2.
>>>>
>>>> Tried also with --if-networks @cento-networks
>>>> # cat cento-networks
>>>> 68:05:CA:34:89:C0@5
>>>>
>>>> But without success.
>>>>
>>>> M.
>>>>
>>>> On 21.11.2017 14:13, Luca Deri wrote:
>>>>> Hi Mat?j,
>>>>>
>>>>> please change
>>>>>
>>>>> D=0
>>>>> --syslog=cento
>>>>> -b *<=== REMOVE*
>>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>>
>>>>>
>>>>> (remove -b)
>>>>>
>>>>> and it will work
>>>>>
>>>>> Regards Luca
>>>>>
>>>>> On 11/20/2017 05:21 PM, Mat?j Grégr wrote:
>>>>>> Hello Luca,
>>>>>> I tried to use the following cento.conf:
>>>>>>
>>>>>> # cat /etc/cento/cento.conf
>>>>>> -p=/var/run/cento.pid
>>>>>> -t=30
>>>>>> -d=20
>>>>>> -9=x.x.x.x:9998
>>>>>> -i=fge1
>>>>>> -i=fge2
>>>>>> -g=0,1
>>>>>> -G=2,3
>>>>>> -D=0
>>>>>> --syslog=cento
>>>>>> -b
>>>>>> --if-networks=68:05:CA:34:89:C0@5,68:05:CA:34:89:C1@6
>>>>>>
>>>>>> M.
>>>>>>
>>>>>> On 20.11.2017 12:17, Luca Deri wrote:
>>>>>>> Matej,
>>>>>>> can you please share the flow command line you are using?
>>>>>>>
>>>>>>> Luca
>>>>>>>
>>>>>>>> On 18 Nov 2017, at 21:21, Mat?j Grégr <igregr@fit.vutbr.cz> wrote:
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>> following and older thread:
>>>>>>>>
>>>>>>>> On 10.02.2017 14:54, Luca Deri wrote:
>>>>>>>>> Hi Jesse
>>>>>>>>> please see below
>>>>>>>>>
>>>>>>>>> On 02/10/2017 02:08 PM, Jesse Alexander wrote:
>>>>>>>>>> First issue:
>>>>>>>>>> We are using cento to send netflow to multiple collectors for analysis. The nbox server has 4 pairs of TAP interfaces (8 NICs). We are sending as version 5 netflow, which has a field for the interface.
>>>>>>>>>>
>>>>>>>>>> Bytes 12-13, and 14-15 in the flow record
>>>>>>>>>> 12-13 | input | SNMP index of input interface
>>>>>>>>>> 14-15 | output | SNMP index of output interface
>>>>>>>>>> All of the flow packets are coming through with either "1" or "2" for those values, which is causing problems with our Kentik service and an internal collector.
>>>>>>>>>>
>>>>>>>>>> It appears this has been brought up before, but there isn't a solution mentioned.
>>>>>>>>>> http://www.ntop.org/support/faq/how-do-i-set-the-input-and-output-interface-id/
>>>>>>>>>>
>>>>>>>>>> How do we get cento to correctly report the interface ID?
>>>>>>>>> In the current cento (devel) you can do
>>>>>>>>> --iface-id <in>:<out> | Set input/output interfaceId
>>>>>>>>> in exported flows
>>>>>>>>> where
>>>>>>>>> - interface indexes and (router) MAC/IP addresses
>>>>>>>>> Flag --iface-id is used to specify the SNMP interface identifiers
>>>>>>>>> for emitted flows.
>>>>>>>>> However using --if-networks it is possible to specify an interface
>>>>>>>>> identifier to which
>>>>>>>>> a MAC address or IP network is bound. The syntax of --if-networks is:
>>>>>>>>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated
>>>>>>>>> by a comma (,).
>>>>>>>>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>>>>>>>>> --if-networks @<filename> where <filename> is a file path containing
>>>>>>>>> the networks
>>>>>>>>> specified using the above format.
>>>>>>>>>
>>>>>>>> It doesn't work for me. I have the same issue as Jesse - all flows from
>>>>>>>> cento are exported with if interface 1, out interface 2.
>>>>>>>>
>>>>>>>> I mirror traffic from router to the following two interfaces on cento box:
>>>>>>>>
>>>>>>>> 3: fge1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>>>> state UP mode DEFAULT qlen 1000
>>>>>>>> link/ether 68:05:ca:34:89:c0 brd ff:ff:ff:ff:ff:ff
>>>>>>>> 5: fge2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq
>>>>>>>> state UP mode DEFAULT qlen 1000
>>>>>>>> link/ether 68:05:ca:34:89:c1 brd ff:ff:ff:ff:ff:ff
>>>>>>>>
>>>>>>>> I tried to set the interface indexes to 5 and 6 using:
>>>>>>>> --if-networks "68:05:ca:34:89:c0@5,68:05:ca:34:89:c1@6"
>>>>>>>>
>>>>>>>> However, I still see only 1 for incomming and 2 for outgoing index in
>>>>>>>> flow data:
>>>>>>>>
>>>>>>>> Flow Record:
>>>>>>>> Flags = 0x00 FLOW, Unsampled
>>>>>>>> <snip>
>>>>>>>> input = 1
>>>>>>>> output = 2
>>>>>>>>
>>>>>>>> Running cento --version
>>>>>>>> v.1.3.171116
>>>>>>>>
>>>>>>>> Any idea what I am doing wrong?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Matej
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Ntop mailing list
>>>>>>>> Ntop@listgateway.unipi.it
>>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ntop mailing list
>>>>>>> Ntop@listgateway.unipi.it
>>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ntop mailing list
>>>>>> Ntop@listgateway.unipi.it
>>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ntop mailing list
>>>>> Ntop@listgateway.unipi.it
>>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Ntop mailing list
>>>> Ntop@listgateway.unipi.it
>>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>>
>>
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
>