Hi Paolo,
On 08 Φεβ 2010, at 12:28 ΜΜ, Paolo Lucente wrote:
On Mon, Feb 08, 2010 at 10:37:54AM +0200, Zenon Mousmoulas wrote:
I have a netflow v9 feed to nfacctd from a juniper router (JUNOS
9.6R2.11), using a service pic. According to a packet capture,
records
include ingress and egress interface and they seem to be properly
defined in the corresponding template. I've tried to use the snmp
ifindex numbers in pre_tag_map keys, but they never match. Matching
in
pre_tag_map with other keys seems to work fine. Any ideas how to
debug?
You can start by checking (ie. with Wireshark) whether the input/
output
interface fields are part of the NetFlow v9 template other than the
I have. They are...
records. If it's in there, then i'd like to give it a look myself: i
would ask you to produce a trace and send it to me privately so that
i can have a look. We can then summarize findings here.
OK. I will send you the capture privately.
I also noticed that proto and ToS are not available as pre_tag_map
keys.
Any particular reason for that? DSCP matching would be handy in my
case.
For this task you can use a 'filter' keyword within the pre_tag_map,
which accepts a filter in libpcap syntax. Give it a try and let me
know.
OK, thanks, I will look into it. I had overlooked this, thinking that
'filter' only applied to pmacctd and not {nf,s}acctd.
On a somewhat different note: the particular juniper can also export
ipv6 flows, using a different template. I've noticed it includes an
IP_PROTOCOL_VERSION (60) field in this template.
If we send the ipv6 feed to the same instance of nfacctd which
receives
the ipv4 feed, how can we tell apart ipv6 from ipv4 traffic if we're
doing AS aggregation? It would be handy to have an ip_proto
aggregation
primitive, or at least to be able to match by 'IPVersion' in a
pre_tag_map.
Sure. Once again you have to resort to a filter in libpcap format,
this time the 'aggregate_filter'. You can configure it as follows:
aggregate_filter[ip_traffic]: ip
aggregate_filter[ip6_traffic]: ip6
Alright. I was thinking towards a single plugin handling both, but I
guess that should also work. Thanks.
Cheers,
Z.
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
