Hi Paolo Thanks for your guide. Now I have resolved the problems :) One more question is that can nfacct's memory plugin store the flow information to a file every 5minutes. Beacause there are about 500,000 flow every 5 minutes, I think the DB server can't endure this.
regards Wang Yan -----邮件原件----- 发件人: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 代表 Paolo Lucente 发送时间: 2007年1月17日 22:48 收件人: [email protected] 主题: Re: [pmacct-discussion] question about ifindex and pre_tag_map Hi Wang Yan, please read my replies in-line: On Tue, Jan 16, 2007 at 12:58:05PM +0800, wangyan wrote: > debug: true > daemonize: true > nfacctd_ip: 10.10.10.10 > nfacctd_port: 2055 > plugins: memory[test] > nfacctd_time_secs: true > pre_tag_map: /var/nfv9/cfg/pretag_map > aggregate[test]: > src_host,dst_host,src_port,dst_port,proto,tos,src_as,dst_as,tos > > /var/nfv9/cfg/pretag_map is: > id=1000 ip=a.a.a.a in=54 out=54 > I have some questions: > 1. Can I use ifindex to filter the traffic. Because I just need to analyze > the traffic throug the pos10/0 which ifindex is 54. I won't use network > prefix to judge in or out. Yes. The way to get this working is through Pre-Tagging. Traffic getting through that interface gets tagged, then a filter is applied to tags, ie.: in /var/nfv9/cfg/pretag_map: id=1000 ip=a.a.a.a in=54 id=2000 ip=a.a.a.a out=54 in nfacctd.conf add the following line: pre_tag_filter[test]: 1000,2000 > 2. I think there are something wrong with my config. The pre_tag_map > doesn't work. Whatever the ip appointed, the result is the same. I can't > display the ifindex by memory plugin either. If things get tagged properly, then you will get the tag in your memory table (and not the ifIndex directly). Tags are effectively multiplexers. However, you have to be explicit and add "tag" key to your "aggregate" directive: aggregate[test]: tag,src_host,dst_host,src_port,dst_port,proto,tos,src_as,dst_as,tos Now, supposing everything is tagged properly, everything having tag 1000 has been originated from ifIndex 54, while everything having tag 2000 has been delivered to such interface. > 3. Can pmacct statistic the topN such as ip, as, protocol like flow-tools? No. pmacct's memory table doesn't have such a feature. However it should not take too much writing down a simple script that rearranges its output into a topN fashion. BTW, things are even easier in case SQL is an option for your scenario - as your query might include an ORDER BY clause on the bytes field. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
