So its my understanding that the use of pmacctd/nfacctd as an accounting
tool came later in the original design. Though I'd love to hear the story
behind that. I assume the timestamp primitives were added later to
differentiate flow records, but he didn't want to change the aggregate
config key.

So to gather netflow data for accounting purposes if you specify the
timestamp aggregates you're then forced to have unique records as opposed
to the default temporal (time-based) aggregation. I use:
aggregate: src_host, dst_host, timestamp_start, timestamp_end, src_port,
dst_port, proto, tos, tcpflags

In the Official Examples ( section
XVII talks about "Using pmacct as traffic/event logger" and the use of the
timestamp primitives.


On Mon, Dec 5, 2016 at 8:52 AM, Julian Keppel <>

> Hi,
> I don't understand the aggregate field in the configuration file. What I
> want to get out of pmacct in the first step is the "most raw" data
> possible, with no aggregations at all (for some experiments).
> In a next step, I maybe want to get some aggregates, as I use the data for
> a machine learning process and some features could be derived directly in
> pmacct... is that a common approach?
> How can I achive the first approach with raw netflow data (as "raw" as
> possilbe) where I don't want any aggregation at all? And how does the
> aggregation mechanism work? The only thing I found in the documentation
> was:
> But there are some fields missing like for example timestamp_start... so
> where is a complete list of possible fields? And how can I distinguish
> between aggregation directives and "normal" fields like timestamp? Maybe
> the configuration field "aggregate" is misleading because you don't only
> configure the aggregate fields, but also the "normal" fields to receive?
> Maybe I'm missing some piece of documentation... sorrry. And thank you in
> advance for you help.
> Julian
> _______________________________________________
> pmacct-discussion mailing list
pmacct-discussion mailing list

Reply via email to