subject:"Re\: \[pmacct\-discussion\] nfacctd and NBAR"

Re: [pmacct-discussion] nfacctd and NBAR

2016-12-14 Thread Yann Belin

Thanks Paolo,

The class field was showing up as "unknown" for me, but by using
aggregate_primitive I was indeed able to extract the field I need
(#95). Cool stuff!

Cheers,

Yann

On Wed, Dec 14, 2016 at 2:38 AM, Paolo Lucente  wrote:
>
> Hi Yann,
>
> You should use the 'class' aggregation primitive for that - or are you
> already doing so ant it's not working? To your other question: yes, you
> can extend, within some limits, the set of natively supported primitives
> with custom ones: please look at the aggregate_primitives framework (in
> CONFIG-KEYS which, in turn, points you to an example).
>
> Cheers,
> Paolo
>
> On Mon, Dec 12, 2016 at 01:38:29PM +0100, Yann Belin wrote:
>> Hello,
>>
>> I am trying to use the NBAR "application ID" field (#95) in nfacctd
>> aggregation but I cannot figure out how to do that. My situation is
>> very similar to what Olaf encountered a couple of years ago (see link
>> below) but unfortunately that thread did not reach a conclusion (at
>> least on its public part).
>>
>> https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01831.html
>>
>> This is the template sent by my Cisco router, the field I am
>> interested in is "95". Is there a way to have nfacctd aggregate on
>> primitives that are not explicitly listed under "nfacctd -a"?
>>
>> DEBUG ( default/core ): NfV10 agent : x.x.x.x:1792
>> DEBUG ( default/core ): NfV10 template type : flow
>> DEBUG ( default/core ): NfV10 template ID   : 274
>> DEBUG ( default/core ):
>> -
>> DEBUG ( default/core ): |pen | field type |
>> offset |  size  |
>> DEBUG ( default/core ): | 0  | IPv4 src addr  [8] |
>>   0 |  4 |
>> DEBUG ( default/core ): | 0  | IPv4 dst addr  [12   ] |
>>   4 |  4 |
>> DEBUG ( default/core ): | 0  | tos[5] |
>>   8 |  1 |
>> DEBUG ( default/core ): | 0  | L4 protocol[4] |
>>   9 |  1 |
>> DEBUG ( default/core ): | 0  | L4 src port[7] |
>>  10 |  2 |
>> DEBUG ( default/core ): | 0  | L4 dst port[11   ] |
>>  12 |  2 |
>> DEBUG ( default/core ): | 0  | input snmp [10   ] |
>>  14 |  4 |
>> DEBUG ( default/core ): | 0  | 95 [95   ] |
>>  18 |  4 |
>> DEBUG ( default/core ): | 0  | direction  [61   ] |
>>  22 |  1 |
>> DEBUG ( default/core ): | 0  | in bytes   [1] |
>>  23 |  4 |
>> DEBUG ( default/core ): | 0  | in packets [2] |
>>  27 |  4 |
>> DEBUG ( default/core ): | 0  | first switched [22   ] |
>>  31 |  4 |
>> DEBUG ( default/core ): | 0  | last switched  [21   ] |
>>  35 |  4 |
>> DEBUG ( default/core ):
>> -
>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 39
>> (...)
>> DEBUG ( default/core ): NfV10 agent : x.x.x.x:6
>> DEBUG ( default/core ): NfV10 template type : options
>> DEBUG ( default/core ): NfV10 template ID   : 259
>> DEBUG ( default/core ): 
>> DEBUG ( default/core ): | field type | offset |  size  |
>> DEBUG ( default/core ): | app id [95   ] |  0 |  4 |
>> DEBUG ( default/core ): | app name   [96   ] |  4 | 24 |
>> DEBUG ( default/core ): | app desc   [94   ] | 28 | 55 |
>> DEBUG ( default/core ): 
>> DEBUG ( default/core ): Netflow V9/IPFIX record size : 83
>>
>> Kind regards,
>>
>> Yann
>>
>> ___
>> pmacct-discussion mailing list
>> http://www.pmacct.net/#mailinglists
>
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] nfacctd and NBAR

2016-12-13 Thread Paolo Lucente


Hi Yann,

You should use the 'class' aggregation primitive for that - or are you
already doing so ant it's not working? To your other question: yes, you
can extend, within some limits, the set of natively supported primitives
with custom ones: please look at the aggregate_primitives framework (in
CONFIG-KEYS which, in turn, points you to an example).

Cheers,
Paolo
 
On Mon, Dec 12, 2016 at 01:38:29PM +0100, Yann Belin wrote:
> Hello,
> 
> I am trying to use the NBAR "application ID" field (#95) in nfacctd
> aggregation but I cannot figure out how to do that. My situation is
> very similar to what Olaf encountered a couple of years ago (see link
> below) but unfortunately that thread did not reach a conclusion (at
> least on its public part).
> 
> https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01831.html
> 
> This is the template sent by my Cisco router, the field I am
> interested in is "95". Is there a way to have nfacctd aggregate on
> primitives that are not explicitly listed under "nfacctd -a"?
> 
> DEBUG ( default/core ): NfV10 agent : x.x.x.x:1792
> DEBUG ( default/core ): NfV10 template type : flow
> DEBUG ( default/core ): NfV10 template ID   : 274
> DEBUG ( default/core ):
> -
> DEBUG ( default/core ): |pen | field type |
> offset |  size  |
> DEBUG ( default/core ): | 0  | IPv4 src addr  [8] |
>   0 |  4 |
> DEBUG ( default/core ): | 0  | IPv4 dst addr  [12   ] |
>   4 |  4 |
> DEBUG ( default/core ): | 0  | tos[5] |
>   8 |  1 |
> DEBUG ( default/core ): | 0  | L4 protocol[4] |
>   9 |  1 |
> DEBUG ( default/core ): | 0  | L4 src port[7] |
>  10 |  2 |
> DEBUG ( default/core ): | 0  | L4 dst port[11   ] |
>  12 |  2 |
> DEBUG ( default/core ): | 0  | input snmp [10   ] |
>  14 |  4 |
> DEBUG ( default/core ): | 0  | 95 [95   ] |
>  18 |  4 |
> DEBUG ( default/core ): | 0  | direction  [61   ] |
>  22 |  1 |
> DEBUG ( default/core ): | 0  | in bytes   [1] |
>  23 |  4 |
> DEBUG ( default/core ): | 0  | in packets [2] |
>  27 |  4 |
> DEBUG ( default/core ): | 0  | first switched [22   ] |
>  31 |  4 |
> DEBUG ( default/core ): | 0  | last switched  [21   ] |
>  35 |  4 |
> DEBUG ( default/core ):
> -
> DEBUG ( default/core ): Netflow V9/IPFIX record size : 39
> (...)
> DEBUG ( default/core ): NfV10 agent : x.x.x.x:6
> DEBUG ( default/core ): NfV10 template type : options
> DEBUG ( default/core ): NfV10 template ID   : 259
> DEBUG ( default/core ): 
> DEBUG ( default/core ): | field type | offset |  size  |
> DEBUG ( default/core ): | app id [95   ] |  0 |  4 |
> DEBUG ( default/core ): | app name   [96   ] |  4 | 24 |
> DEBUG ( default/core ): | app desc   [94   ] | 28 | 55 |
> DEBUG ( default/core ): 
> DEBUG ( default/core ): Netflow V9/IPFIX record size : 83
> 
> Kind regards,
> 
> Yann
> 
> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] nfacctd and NBAR

Re: [pmacct-discussion] nfacctd and NBAR

2 matches

Site Navigation

Mail list logo

Footer information