Hi Yann, You should use the 'class' aggregation primitive for that - or are you already doing so ant it's not working? To your other question: yes, you can extend, within some limits, the set of natively supported primitives with custom ones: please look at the aggregate_primitives framework (in CONFIG-KEYS which, in turn, points you to an example).
Cheers, Paolo On Mon, Dec 12, 2016 at 01:38:29PM +0100, Yann Belin wrote: > Hello, > > I am trying to use the NBAR "application ID" field (#95) in nfacctd > aggregation but I cannot figure out how to do that. My situation is > very similar to what Olaf encountered a couple of years ago (see link > below) but unfortunately that thread did not reach a conclusion (at > least on its public part). > > https://www.mail-archive.com/[email protected]/msg01831.html > > This is the template sent by my Cisco router, the field I am > interested in is "95". Is there a way to have nfacctd aggregate on > primitives that are not explicitly listed under "nfacctd -a"? > > DEBUG ( default/core ): NfV10 agent : x.x.x.x:1792 > DEBUG ( default/core ): NfV10 template type : flow > DEBUG ( default/core ): NfV10 template ID : 274 > DEBUG ( default/core ): > ------------------------------------------------------------- > DEBUG ( default/core ): | pen | field type | > offset | size | > DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] | > 0 | 4 | > DEBUG ( default/core ): | 0 | IPv4 dst addr [12 ] | > 4 | 4 | > DEBUG ( default/core ): | 0 | tos [5 ] | > 8 | 1 | > DEBUG ( default/core ): | 0 | L4 protocol [4 ] | > 9 | 1 | > DEBUG ( default/core ): | 0 | L4 src port [7 ] | > 10 | 2 | > DEBUG ( default/core ): | 0 | L4 dst port [11 ] | > 12 | 2 | > DEBUG ( default/core ): | 0 | input snmp [10 ] | > 14 | 4 | > DEBUG ( default/core ): | 0 | 95 [95 ] | > 18 | 4 | > DEBUG ( default/core ): | 0 | direction [61 ] | > 22 | 1 | > DEBUG ( default/core ): | 0 | in bytes [1 ] | > 23 | 4 | > DEBUG ( default/core ): | 0 | in packets [2 ] | > 27 | 4 | > DEBUG ( default/core ): | 0 | first switched [22 ] | > 31 | 4 | > DEBUG ( default/core ): | 0 | last switched [21 ] | > 35 | 4 | > DEBUG ( default/core ): > ------------------------------------------------------------- > DEBUG ( default/core ): Netflow V9/IPFIX record size : 39 > (...) > DEBUG ( default/core ): NfV10 agent : x.x.x.x:6 > DEBUG ( default/core ): NfV10 template type : options > DEBUG ( default/core ): NfV10 template ID : 259 > DEBUG ( default/core ): ------------------------------------------------ > DEBUG ( default/core ): | field type | offset | size | > DEBUG ( default/core ): | app id [95 ] | 0 | 4 | > DEBUG ( default/core ): | app name [96 ] | 4 | 24 | > DEBUG ( default/core ): | app desc [94 ] | 28 | 55 | > DEBUG ( default/core ): ------------------------------------------------ > DEBUG ( default/core ): Netflow V9/IPFIX record size : 83 > > Kind regards, > > Yann > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
