sorry this should have gone to the list not direct Hi Paolo,
Thanks for the swift reply!! At the monment I'm really just doing some proof of concept testing using a 7200 IOS 15.1 on a Dynamips hypervisor but if all works according to plan I would look at putting into production using a Cisco ASR1000. I have nfacctd up and running and it is receiving flows from my test router. when doing a debug i can see #95 field arrive in the net flow template (see debug below) My nfacctd.conf file is below What i really not sure of is how to filter or report on the #95 (Application ID) field on incoming flows and also store in a DB For example: I would like to account bidirectional traffic for subscriber IP address 192.168.0.1 where NBAR protocol ID is equal to 85 (youtube) You help is greatly apreaciated Many thanks Olaf nfacctd.conf [root@OpenDPI ~]# cat nfacct.conf ! ! nfacctd configuration example ! ! Did you know CONFIG-KEYS contains the detailed list of all configuration keys ! supported by 'nfacctd' and 'pmacctd' ? ! ! aggregate_filter[dummy]: src net 192.168.0.0/16 aggregate: src_host, dst_host, src_port, dst_port, proto plugins: memory ! plugin_buffer_size: 1024 nfacctd_port: 9996 nfacctd_time_secs: true nfacctd_time_new: true nfacctd degug output: DEBUG ( default/core ): NfV9 agent : 192.168.1.230:0 DEBUG ( default/core ): NfV9 template type : flow DEBUG ( default/core ): NfV9 template ID : 259 DEBUG ( default/core ): ---------------------------------------- DEBUG ( default/core ): | field type | offset | size | DEBUG ( default/core ): | IPv4 src addr | 0 | 4 | DEBUG ( default/core ): | IPv4 dst addr | 4 | 4 | DEBUG ( default/core ): | 95 | 8 | 4 | DEBUG ( default/core ): | input snmp | 12 | 4 | DEBUG ( default/core ): | L4 src port | 16 | 2 | DEBUG ( default/core ): | L4 dst port | 18 | 2 | DEBUG ( default/core ): | tos | 20 | 1 | DEBUG ( default/core ): | L4 protocol | 21 | 1 | DEBUG ( default/core ): | IPv4 src mask | 22 | 1 | DEBUG ( default/core ): | IPv4 dst mask | 23 | 1 | DEBUG ( default/core ): | tcp flags | 24 | 1 | DEBUG ( default/core ): | direction | 25 | 1 | DEBUG ( default/core ): | 195 | 26 | 1 | DEBUG ( default/core ): | in src mac | 27 | 6 | DEBUG ( default/core ): | dst as | 33 | 2 | DEBUG ( default/core ): | 182 | 35 | 2 | DEBUG ( default/core ): | 183 | 37 | 2 | DEBUG ( default/core ): | 180 | 39 | 2 | DEBUG ( default/core ): | 181 | 41 | 2 | DEBUG ( default/core ): | IPv4 next hop | 43 | 4 | DEBUG ( default/core ): | 44 | 47 | 4 | DEBUG ( default/core ): | sampler ID | 51 | 4 | DEBUG ( default/core ): | in bytes | 55 | 4 | DEBUG ( default/core ): | in packets | 59 | 4 | DEBUG ( default/core ): | first switched | 63 | 4 | DEBUG ( default/core ): | last switched | 67 | 4 | DEBUG ( default/core ): | output snmp | 71 | 4 | DEBUG ( default/core ): | 54 | 75 | 4 | DEBUG ( default/core ): ---------------------------------------- DEBUG ( default/core ): Netflow V9/IPFIX record size : 79 DEBUG ( default/core ): Cisco 7200 FNF Config flow record nbar-monitor description "Netflow NBAR monitor" match ipv4 tos match ipv4 protocol match ipv4 source address match ipv4 destination address match transport source-port match transport destination-port match interface input match application name collect datalink mac source address input collect routing destination as collect routing next-hop address ipv4 collect ipv4 dscp collect ipv4 id collect ipv4 source prefix collect ipv4 source mask collect ipv4 destination mask collect transport tcp source-port collect transport tcp destination-port collect transport tcp flags collect transport udp source-port collect transport udp destination-port collect interface output collect flow direction collect flow sampler collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last ! ! flow exporter export-to-plixer description "Export to Plixer Scrutiniser" destination 192.168.1.21 vrf IPS transport udp 9996 template data timeout 60 option interface-table option exporter-stats ! ! flow monitor customer-mon record nbar-monitor exporter export-to-plixer cache timeout active 60 !
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
