Thanks Paolo, The class field was showing up as "unknown" for me, but by using aggregate_primitive I was indeed able to extract the field I need (#95). Cool stuff!
Cheers, Yann On Wed, Dec 14, 2016 at 2:38 AM, Paolo Lucente <[email protected]> wrote: > > Hi Yann, > > You should use the 'class' aggregation primitive for that - or are you > already doing so ant it's not working? To your other question: yes, you > can extend, within some limits, the set of natively supported primitives > with custom ones: please look at the aggregate_primitives framework (in > CONFIG-KEYS which, in turn, points you to an example). > > Cheers, > Paolo > > On Mon, Dec 12, 2016 at 01:38:29PM +0100, Yann Belin wrote: >> Hello, >> >> I am trying to use the NBAR "application ID" field (#95) in nfacctd >> aggregation but I cannot figure out how to do that. My situation is >> very similar to what Olaf encountered a couple of years ago (see link >> below) but unfortunately that thread did not reach a conclusion (at >> least on its public part). >> >> https://www.mail-archive.com/[email protected]/msg01831.html >> >> This is the template sent by my Cisco router, the field I am >> interested in is "95". Is there a way to have nfacctd aggregate on >> primitives that are not explicitly listed under "nfacctd -a"? >> >> DEBUG ( default/core ): NfV10 agent : x.x.x.x:1792 >> DEBUG ( default/core ): NfV10 template type : flow >> DEBUG ( default/core ): NfV10 template ID : 274 >> DEBUG ( default/core ): >> ------------------------------------------------------------- >> DEBUG ( default/core ): | pen | field type | >> offset | size | >> DEBUG ( default/core ): | 0 | IPv4 src addr [8 ] | >> 0 | 4 | >> DEBUG ( default/core ): | 0 | IPv4 dst addr [12 ] | >> 4 | 4 | >> DEBUG ( default/core ): | 0 | tos [5 ] | >> 8 | 1 | >> DEBUG ( default/core ): | 0 | L4 protocol [4 ] | >> 9 | 1 | >> DEBUG ( default/core ): | 0 | L4 src port [7 ] | >> 10 | 2 | >> DEBUG ( default/core ): | 0 | L4 dst port [11 ] | >> 12 | 2 | >> DEBUG ( default/core ): | 0 | input snmp [10 ] | >> 14 | 4 | >> DEBUG ( default/core ): | 0 | 95 [95 ] | >> 18 | 4 | >> DEBUG ( default/core ): | 0 | direction [61 ] | >> 22 | 1 | >> DEBUG ( default/core ): | 0 | in bytes [1 ] | >> 23 | 4 | >> DEBUG ( default/core ): | 0 | in packets [2 ] | >> 27 | 4 | >> DEBUG ( default/core ): | 0 | first switched [22 ] | >> 31 | 4 | >> DEBUG ( default/core ): | 0 | last switched [21 ] | >> 35 | 4 | >> DEBUG ( default/core ): >> ------------------------------------------------------------- >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 39 >> (...) >> DEBUG ( default/core ): NfV10 agent : x.x.x.x:6 >> DEBUG ( default/core ): NfV10 template type : options >> DEBUG ( default/core ): NfV10 template ID : 259 >> DEBUG ( default/core ): ------------------------------------------------ >> DEBUG ( default/core ): | field type | offset | size | >> DEBUG ( default/core ): | app id [95 ] | 0 | 4 | >> DEBUG ( default/core ): | app name [96 ] | 4 | 24 | >> DEBUG ( default/core ): | app desc [94 ] | 28 | 55 | >> DEBUG ( default/core ): ------------------------------------------------ >> DEBUG ( default/core ): Netflow V9/IPFIX record size : 83 >> >> Kind regards, >> >> Yann >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
