[pmacct-discussion] nfacctd and NBAR

Mon, 12 Dec 2016 04:41:56 -0800 

Hello,

I am trying to use the NBAR "application ID" field (#95) in nfacctd
aggregation but I cannot figure out how to do that. My situation is
very similar to what Olaf encountered a couple of years ago (see link
below) but unfortunately that thread did not reach a conclusion (at
least on its public part).

https://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01831.html

This is the template sent by my Cisco router, the field I am
interested in is "95". Is there a way to have nfacctd aggregate on
primitives that are not explicitly listed under "nfacctd -a"?

DEBUG ( default/core ): NfV10 agent         : x.x.x.x:1792
DEBUG ( default/core ): NfV10 template type : flow
DEBUG ( default/core ): NfV10 template ID   : 274
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): |    pen     |         field type         |
offset |  size  |
DEBUG ( default/core ): | 0          | IPv4 src addr      [8    ] |
  0 |      4 |
DEBUG ( default/core ): | 0          | IPv4 dst addr      [12   ] |
  4 |      4 |
DEBUG ( default/core ): | 0          | tos                [5    ] |
  8 |      1 |
DEBUG ( default/core ): | 0          | L4 protocol        [4    ] |
  9 |      1 |
DEBUG ( default/core ): | 0          | L4 src port        [7    ] |
 10 |      2 |
DEBUG ( default/core ): | 0          | L4 dst port        [11   ] |
 12 |      2 |
DEBUG ( default/core ): | 0          | input snmp         [10   ] |
 14 |      4 |
DEBUG ( default/core ): | 0          | 95                 [95   ] |
 18 |      4 |
DEBUG ( default/core ): | 0          | direction          [61   ] |
 22 |      1 |
DEBUG ( default/core ): | 0          | in bytes           [1    ] |
 23 |      4 |
DEBUG ( default/core ): | 0          | in packets         [2    ] |
 27 |      4 |
DEBUG ( default/core ): | 0          | first switched     [22   ] |
 31 |      4 |
DEBUG ( default/core ): | 0          | last switched      [21   ] |
 35 |      4 |
DEBUG ( default/core ):
-------------------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 39
(...)
DEBUG ( default/core ): NfV10 agent         : x.x.x.x:6
DEBUG ( default/core ): NfV10 template type : options
DEBUG ( default/core ): NfV10 template ID   : 259
DEBUG ( default/core ): ------------------------------------------------
DEBUG ( default/core ): |         field type         | offset |  size  |
DEBUG ( default/core ): | app id             [95   ] |      0 |      4 |
DEBUG ( default/core ): | app name           [96   ] |      4 |     24 |
DEBUG ( default/core ): | app desc           [94   ] |     28 |     55 |
DEBUG ( default/core ): ------------------------------------------------
DEBUG ( default/core ): Netflow V9/IPFIX record size : 83

Kind regards,

Yann

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to