Hello, I am trying to use the NBAR "application ID" field (#95) in nfacctd aggregation but I cannot figure out how to do that. My situation is very similar to what Olaf encountered a couple of years ago (see link below) but unfortunately that thread did not reach a conclusion (at least on its public part).
https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01831.html This is the template sent by my Cisco router, the field I am interested in is "95". Is there a way to have nfacctd aggregate on primitives that are not explicitly listed under "nfacctd -a"? DEBUG ( default/core ): NfV10 agent : x.x.x.x:1792 DEBUG ( default/core ): NfV10 template type : flow DEBUG ( default/core ): NfV10 template ID : 274 DEBUG ( default/core ): ------------------------------------------------------------- DEBUG ( default/core ): | pen | field type | offset | size | DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] | 0 | 4 | DEBUG ( default/core ): | 0 | IPv4 dst addr [12 ] | 4 | 4 | DEBUG ( default/core ): | 0 | tos [5 ] | 8 | 1 | DEBUG ( default/core ): | 0 | L4 protocol [4 ] | 9 | 1 | DEBUG ( default/core ): | 0 | L4 src port [7 ] | 10 | 2 | DEBUG ( default/core ): | 0 | L4 dst port [11 ] | 12 | 2 | DEBUG ( default/core ): | 0 | input snmp [10 ] | 14 | 4 | DEBUG ( default/core ): | 0 | 95 [95 ] | 18 | 4 | DEBUG ( default/core ): | 0 | direction [61 ] | 22 | 1 | DEBUG ( default/core ): | 0 | in bytes [1 ] | 23 | 4 | DEBUG ( default/core ): | 0 | in packets [2 ] | 27 | 4 | DEBUG ( default/core ): | 0 | first switched [22 ] | 31 | 4 | DEBUG ( default/core ): | 0 | last switched [21 ] | 35 | 4 | DEBUG ( default/core ): ------------------------------------------------------------- DEBUG ( default/core ): Netflow V9/IPFIX record size : 39 (...) DEBUG ( default/core ): NfV10 agent : x.x.x.x:6 DEBUG ( default/core ): NfV10 template type : options DEBUG ( default/core ): NfV10 template ID : 259 DEBUG ( default/core ): ------------------------------------------------ DEBUG ( default/core ): | field type | offset | size | DEBUG ( default/core ): | app id [95 ] | 0 | 4 | DEBUG ( default/core ): | app name [96 ] | 4 | 24 | DEBUG ( default/core ): | app desc [94 ] | 28 | 55 | DEBUG ( default/core ): ------------------------------------------------ DEBUG ( default/core ): Netflow V9/IPFIX record size : 83 Kind regards, Yann _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists