Hi,
I see. I am sorry to confirm that, yes, the feature is not there right now. It's not a biggie but still it would require a bit of work in order to converge. I can gladly put on my todo list but it may take a few weeks to get it out; or if you could perform a small fun C coding work on you own, please get in touch by unicast email, i'd be happy to assist. Paolo On Mon, Apr 13, 2020 at 03:59:48PM -0400, fireballiso wrote: > <html> > <head> > <meta http-equiv="Content-Type" content="text/html; > charset=windows-1252"> > </head> > <body> > <div class="moz-cite-prefix">Hi Paolo,<br> > </div> > <div class="moz-cite-prefix"><br> > </div> > <div class="moz-cite-prefix">Sorry, I should have said I was > replacing the netflow *generators*, not collectors. My mistake!<br> > </div> > <div class="moz-cite-prefix"><br> > </div> > <div class="moz-cite-prefix">Yes, I posted the config that generates > the netflow 9 flows, since I hoped to see if it was missing > something for including the ICMP and ICMP6 types/codes.</div> > <div class="moz-cite-prefix"><br> > </div> > <div class="moz-cite-prefix">-Indy</div> > <div class="moz-cite-prefix"><br> > </div> > <div class="moz-cite-prefix"><br> > </div> > <div class="moz-cite-prefix">On 4/13/2020 8:59 AM, Paolo Lucente > wrote:<br> > </div> > <blockquote type="cite" > cite="mid:20200413125955.gb16...@moussaka.pmacct.net"> > <pre class="moz-quote-pre" wrap=""> > Hi, > > Let me confirm that collecting the ICMP type is partially supported; the > native dst_port primitive is locked to UDP and TCP only - making this > not suitable for NetFlow v5 kind of scenarios; but if using NetFlow v9 > and/or IPFIX you could define your own custom primitive via the > aggregate_primitives infrastructure, see also an example here: > > <a class="moz-txt-link-freetext" > href="https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example";>https://github.com/pmacct/pmacct/blob/1.7.4/examples/primitives.lst.example</a> > > By the way: you speak collecting NetFlow but your config example is > actually about the 'nfprobe' plugin, that is, generating NetFlow out of > raw traffic. Is that what you are after? > > Paolo > > On Sun, Apr 12, 2020 at 04:20:08PM -0400, fireballiso wrote: > </pre> > <blockquote type="cite"> > <pre class="moz-quote-pre" wrap="">Hi! I've started using pmacctd to > replace old netflow collectors for my > main and test networks, which run both IPv6 and IPv4. It works very > well, except that I haven't yet found a way to record the ICMP and ICMP6 > types and codes. > > In other collectors, these are often stored in the destination port > (otherwise unused for ICMP/ICMP6), in the format "A.B", where A is the > type and B is the code. For example, "3.1" would represent ICMP type 3 > (Destination Unreachable), code 1 (Host Unreachable). I see lots of ICMP > and ICMP6 flows, but unfortunately, the destination port is always set > to "0.0", as if nothing is being recorded there. > > A simple config: > > daemonize: true > ! > interface: net1 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > plugins: nfprobe > nfprobe_receiver: 192.168.14.2:9997 > nfprobe_version: 9 > > > I haven't found documentation or examples that show how to enable > recording the types and codes, and no relevant primitives to add to the > aggregate statement. Would someone be able to tell me how to do this? > > Thank you! > > -Indy > > _______________________________________________ > pmacct-discussion mailing list > <a class="moz-txt-link-freetext" > href="http://www.pmacct.net/#mailinglists";>http://www.pmacct.net/#mailinglists</a> > </pre> > </blockquote> > <pre class="moz-quote-pre" wrap=""> > _______________________________________________ > pmacct-discussion mailing list > <a class="moz-txt-link-freetext" > href="http://www.pmacct.net/#mailinglists";>http://www.pmacct.net/#mailinglists</a> > </pre> > </blockquote> > <p><br> > </p> > <pre class="moz-signature" cols="72">-- > > -Indy > <a class="moz-txt-link-abbreviated" > href="mailto:fireball...@yahoo.com";>fireball...@yahoo.com</a></pre> > </body> > </html> _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
