Thanks Paolo,

The class field was showing up as "unknown" for me, but by using
aggregate_primitive I was indeed able to extract the field I need
(#95). Cool stuff!

Cheers,

Yann

On Wed, Dec 14, 2016 at 2:38 AM, Paolo Lucente <pa...@pmacct.net> wrote:
>
> Hi Yann,
>
> You should use the 'class' aggregation primitive for that - or are you
> already doing so ant it's not working? To your other question: yes, you
> can extend, within some limits, the set of natively supported primitives
> with custom ones: please look at the aggregate_primitives framework (in
> CONFIG-KEYS which, in turn, points you to an example).
>
> Cheers,
> Paolo
>
> On Mon, Dec 12, 2016 at 01:38:29PM +0100, Yann Belin wrote:
>> Hello,
>>
>> I am trying to use the NBAR "application ID" field (#95) in nfacctd
>> aggregation but I cannot figure out how to do that. My situation is
>> very similar to what Olaf encountered a couple of years ago (see link
>> below) but unfortunately that thread did not reach a conclusion (at
>> least on its public part).
>>
>> https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01831.html
>>
>> This is the template sent by my Cisco router, the field I am
>> interested in is "95". Is there a way to have nfacctd aggregate on
>> primitives that are not explicitly listed under "nfacctd -a"?
>>
>> DEBUG ( default/core ): NfV10 agent         : x.x.x.x:1792
>> DEBUG ( default/core ): NfV10 template type : flow
>> DEBUG ( default/core ): NfV10 template ID   : 274
>> DEBUG ( default/core ):
>> -------------------------------------------------------------
>> DEBUG ( default/core ): |    pen     |         field type         |
>> offset |  size  |
>> DEBUG ( default/core ): | 0          | IPv4 src addr      [8    ] |
>>   0 |      4 |
>> DEBUG ( default/core ): | 0          | IPv4 dst addr      [12   ] |
>>   4 |      4 |
>> DEBUG ( default/core ): | 0          | tos                [5    ] |
>>   8 |      1 |
>> DEBUG ( default/core ): | 0          | L4 protocol        [4    ] |
>>   9 |      1 |
>> DEBUG ( default/core ): | 0          | L4 src port        [7    ] |
>>  10 |      2 |
>> DEBUG ( default/core ): | 0          | L4 dst port        [11   ] |
>>  12 |      2 |
>> DEBUG ( default/core ): | 0          | input snmp         [10   ] |
>>  14 |      4 |
>> DEBUG ( default/core ): | 0          | 95                 [95   ] |
>>  18 |      4 |
>> DEBUG ( default/core ): | 0          | direction          [61   ] |
>>  22 |      1 |
>> DEBUG ( default/core ): | 0          | in bytes           [1    ] |
>>  23 |      4 |
>> DEBUG ( default/core ): | 0          | in packets         [2    ] |
>>  27 |      4 |
>> DEBUG ( default/core ): | 0          | first switched     [22   ] |
>>  31 |      4 |
>> DEBUG ( default/core ): | 0          | last switched      [21   ] |
>>  35 |      4 |
>> DEBUG ( default/core ):
>> -------------------------------------------------------------
>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 39
>> (...)
>> DEBUG ( default/core ): NfV10 agent         : x.x.x.x:6
>> DEBUG ( default/core ): NfV10 template type : options
>> DEBUG ( default/core ): NfV10 template ID   : 259
>> DEBUG ( default/core ): ------------------------------------------------
>> DEBUG ( default/core ): |         field type         | offset |  size  |
>> DEBUG ( default/core ): | app id             [95   ] |      0 |      4 |
>> DEBUG ( default/core ): | app name           [96   ] |      4 |     24 |
>> DEBUG ( default/core ): | app desc           [94   ] |     28 |     55 |
>> DEBUG ( default/core ): ------------------------------------------------
>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 83
>>
>> Kind regards,
>>
>> Yann
>>
>> _______________________________________________
>> pmacct-discussion mailing list
>> http://www.pmacct.net/#mailinglists
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to