Hi Maxim, aggregate_filter expects a filter in libpcap/tcpdump syntax - and that does not support ASNs. It should be returning an error.
You should be using pre_tag_map and pre_tag_filter: a pre_tag_map can contain a line like "set_tag=10 ip=0.0.0.0/0 dst_as=0"; then you can filter out those with a "pre_tag_filter[plugin]: !10" in your config. You can check out full syntax and knobs supported by pre_tag_map in examples/pretag.map.example in the distribution tarball. Cheers, Paolo On Thu, Apr 30, 2015 at 04:36:04PM +0000, Maxim Rayevskiy wrote: > Hi! > > I am trying to filter out DST_AS=0 from nfacctd aggregates. And, well, I am > failing. > I've tried all combinations of the expression on aggregate_filter and they > all seemed to be ignored. > Here's my current config: > > pidfile: /var/run/nfacctd.pid > syslog: daemon > ! > ! interested in in and outbound traffic > aggregate: > src_as,dst_as,as_path,peer_dst_ip,peer_src_ip,src_host,dst_net,dst_mask,src_port,dst_port,proto > pcap_filter: net 0.0.0.0/0 > interface: eth0 > plugins: memory[out] > aggregate_filter[out]: dst_as not 0 > > nfacctd_ip: 0.0.0.0 > nfacctd_port: 9992 > nfacctd_net: netflow > > bgp_daemon: true > bgp_daemon_ip: 192.168.142.165 > bgp_daemon_max_peers: 100 > bgp_agent_map: /etc/pmacct/agent_to_peer.map > > And here's what I am getting: > > mrayevskiy@pmacct:~$ /usr/bin/pmacct -c dst_as -M 0 -O csv > SRC_AS,DST_AS,AS_PATH,PEER_SRC_IP,PEER_DST_IP,SRC_IP,DST_IP,DST_MASK,SRC_PORT,DST_PORT,PROTOCOL,PACKETS,BYTES > 0,0,,91.233.217.254,212.188.23.218,,0.0.0.0,0,0,0,ip,4,240 > 0,0,,91.233.217.254,0.0.0.0,,0.0.0.0,0,0,0,ip,805,67465 > 0,0,,91.233.219.254,0.0.0.0,,0.0.0.0,0,0,0,ip,595,113680 > 0,0,,91.233.217.254,212.188.23.230,,0.0.0.0,0,0,0,ip,69,10393 > 0,0,,91.233.217.254,10.200.1.84,,0.0.0.0,0,0,0,ip,253222,377639873 > 0,0,,91.233.219.254,10.200.1.84,,0.0.0.0,0,0,0,ip,2370350,3555193820 > > I would appreciate some help with this problem. > > Maxim Rayevskiy > Senior Manager > ivi.ru online movies > tel.: +7 495 276-06-31 (ext. 206) > cell: +7 964 551 12 43 > e-mail: [email protected] > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
