Hi Jose, I think you have two ways to achieve it:
1) single plugin: only account on the most specifics, then do some maths (summing) yourself in the post processing to get counters for the least specific. 2) two plugins: one accounts on the least specifics, the other on the most specifics. The two plugins can write to different (recommended) or same tables. If you have to supply both least and most specifics, you can supply each plugin with it's own file: plugins: mysql[least], mysql[most] ! ! .. ! nfacctd_net: file networks_file[least]: /path/to/least_specifics.txt networks_file[most]: /path/to/most_specifics.txt If instead, say, the least specifics come from NetFlow (hence routing table) and the most specific from a table you want to supply: plugins: mysql[least], mysql[most] ! ! .. ! nfacctd_net: fallback networks_file[most]: /path/to/most_specifics.txt Hope this is enough to start. Btw, wrt the issue of 0.0.0.0 IP addresses, i wonder if network masks are correctly set in your NetFlow export. That behaviour suggests that that is not the case, and masks may be set to zero (see above how you can switch to/integrate networks supplied with a file). You can do some initial troubleshooting in this sense by: setting the 'aggregate' to 'src_host, src_net, src_mask, proto' and chec values for src_host/src_mask are compatible with what you see in src_net. Cheers, Paolo On Fri, Apr 10, 2015 at 10:49:21AM -0600, José Alonso wrote: > Hi all, > > Just started using pmacct (1.5.0) on a ubuntu 14.04 machine. And we have a > few questions about how to aggregate flows using a subnet prefix and at the > same time aggregate flows by most specific prefixes. For example, here we > have the configuration that currently we have: > > debug: true > daemonize: true > plugin_pipe_size: 10240000 > plugin_buffer_size: 10240 > > nfacctd_port: 5678 > nfacctd_time_new: true > > networks_file: /path/to/networks.lst > > sql_db: pmacct > sql_table_version: 9 > sql_passwd: arealsmartpwd > sql_user: pmacct > sql_refresh_time: 60 > sql_history: 1m > > plugins: mysql[192_168_1_0] > > aggregate[192_168_1_0]: src_net, proto > aggregate_filter[192_168_1_0]: src net 192.168.1.0/24 > sql_table[192_168_1_0]: aggregated_network_src_flows > > networks.lst: > 192.168.1.0/24 > > What we want is to aggregate traffic from the subnet 192.168.1.0/24 but at > the same time I would like to know how can I aggregate traffic from a more > specific prefix like 192.168.1.0/25, what's your recommendation ? > > Also, at this moment, using this configuration, all the accounting is being > written to the DB as 0.0.0.0, like this: > > stamp_updated: 2015-04-10 10:46:01 > *************************** 458. row *************************** > tag: 0 > class_id: unknown > mac_src: 0:0:0:0:0:0 > mac_dst: 0:0:0:0:0:0 > vlan: 0 > as_src: 0 > as_dst: 0 > ip_src: 0.0.0.0 > ip_dst: 0.0.0.0 > port_src: 0 > port_dst: 0 > tcp_flags: 0 > ip_proto: ipv6-a > tos: 0 > packets: 1706 > bytes: 2067340 > flows: 0 > stamp_inserted: 2015-04-10 10:45:00 > stamp_updated: 2015-04-10 10:46:01 > > Do you have a clue of what could be causing this ? Let us know if you need > more information. > > Thanks, > > > > > > > -- > [image: image.png] <http://www.transtelco.net/> | Jose A. Hernandez | R&D > Manager | MX: +52 (656) 257-1189 | US: +1 (915) 534-8116 > > CONFIDENTIALITY NOTICE: This communication is intended only for the use of > the individual or entity to which it is addressed and may contain > information that is privileged, confidential, and exempt from disclosure > under applicable law. If you are not the intended recipient of this > information, you are notified that any use, dissemination, distribution, or > copying of the communication is strictly prohibited. > > AVISO DE CONFIDENCIALIDAD: Esta comunicación es sólo para el uso de la > persona o entidad a la que se dirige y puede contener información > privilegiada, confidencial y exenta de divulgación bajo la legislación > aplicable. Si no es el destinatario de esta información, se le notifica que > cualquier uso, difusión, distribución o copia de la comunicación está > estrictamente prohibido > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
