Hi Zenon, On Mon, Feb 08, 2010 at 10:37:54AM +0200, Zenon Mousmoulas wrote:
> I have a netflow v9 feed to nfacctd from a juniper router (JUNOS > 9.6R2.11), using a service pic. According to a packet capture, records > include ingress and egress interface and they seem to be properly > defined in the corresponding template. I've tried to use the snmp > ifindex numbers in pre_tag_map keys, but they never match. Matching in > pre_tag_map with other keys seems to work fine. Any ideas how to debug? You can start by checking (ie. with Wireshark) whether the input/output interface fields are part of the NetFlow v9 template other than the records. If it's in there, then i'd like to give it a look myself: i would ask you to produce a trace and send it to me privately so that i can have a look. We can then summarize findings here. > I also noticed that proto and ToS are not available as pre_tag_map keys. > Any particular reason for that? DSCP matching would be handy in my case. For this task you can use a 'filter' keyword within the pre_tag_map, which accepts a filter in libpcap syntax. Give it a try and let me know. > On a somewhat different note: the particular juniper can also export > ipv6 flows, using a different template. I've noticed it includes an > IP_PROTOCOL_VERSION (60) field in this template. > If we send the ipv6 feed to the same instance of nfacctd which receives > the ipv4 feed, how can we tell apart ipv6 from ipv4 traffic if we're > doing AS aggregation? It would be handy to have an ip_proto aggregation > primitive, or at least to be able to match by 'IPVersion' in a > pre_tag_map. Sure. Once again you have to resort to a filter in libpcap format, this time the 'aggregate_filter'. You can configure it as follows: aggregate_filter[ip_traffic]: ip aggregate_filter[ip6_traffic]: ip6 Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
