Hi Joel, Thanks for your feedback, much appreciated.
Actually IE #152 and #153 are understood in the code (timestamp_start, timestamp_end primitives and sql_history). The issue is purely visual, in the context of the debug message. IE #136 is not natively supported instead. But pmacct release 1.5.0rc1 introduced custom-defined aggregation primitives: aggregate_primitives configuration directive (see CONFIG-KEYS for further info and pointer to examples). You can hence define it through such infrastructure as, for example: name=flow_end_reason field_type=136 len=1 semantics=u_int Btw, somebody recently needed such field to parse some IPFIX out of ALU devices and this definition worked just beautifully. Cheers, Paolo On Sun, Nov 10, 2013 at 06:23:38PM -0800, Joel Krauska wrote: > Howdy there. > > I've been experimenting with nfacctd and it's be a delight to setup. (very > simple config) > > A quick note: > Some of the IPFIX Field types aren't being decoded in debug... > > eg. > > DEBUG ( default/core ): NfV10 template type : flow > DEBUG ( default/core ): NfV10 template ID : 256 > DEBUG ( default/core ): > ----------------------------------------------------- > DEBUG ( default/core ): | pen | field type | offset | size > | > DEBUG ( default/core ): | 0 | IPv4 src addr | 0 | 4 > | > DEBUG ( default/core ): | 0 | IPv4 dst addr | 4 | 4 > | > DEBUG ( default/core ): | 0 | tos | 8 | 1 > | > DEBUG ( default/core ): | 0 | L4 protocol | 9 | 1 > | > DEBUG ( default/core ): | 0 | L4 src port | 10 | 2 > | > DEBUG ( default/core ): | 0 | L4 dst port | 12 | 2 > | > DEBUG ( default/core ): | 0 | icmp type | 14 | 2 > | > DEBUG ( default/core ): | 0 | input snmp | 16 | 4 > | > DEBUG ( default/core ): | 0 | IPv4 src mask | 20 | 1 > | > DEBUG ( default/core ): | 0 | IPv4 dst mask | 21 | 1 > | > DEBUG ( default/core ): | 0 | src as | 22 | 4 > | > DEBUG ( default/core ): | 0 | dst as | 26 | 4 > | > DEBUG ( default/core ): | 0 | IPv4 next hop | 30 | 4 > | > DEBUG ( default/core ): | 0 | tcp flags | 34 | 1 > | > DEBUG ( default/core ): | 0 | output snmp | 35 | 4 > | > DEBUG ( default/core ): | 0 | in bytes | 39 | 8 > | > DEBUG ( default/core ): | 0 | in packets | 47 | 8 > | > DEBUG ( default/core ): | 0 | 152 | 55 | 8 > | > DEBUG ( default/core ): | 0 | 153 | 63 | 8 > | > DEBUG ( default/core ): | 0 | 136 | 71 | 1 > | > DEBUG ( default/core ): > ----------------------------------------------------- > > > Field types 152,152 and 136 appear to be documented in RFC 5102. > http://www.ietf.org/rfc/rfc5102.txt > > 152 = flowStartMilliseconds > 153 = flowStartMilliseconds > 136 = flowEndReason > > > > But they do not appear to be as-yet 'understood' by pmacct. > > Not sure if this is useful, but thought you might like to know. > > Cheers, > > Joel > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
