Hi Paolo, Thanks for the reply. I'm not doing anything too fancy, only correlating two types of fields: Interfaces and Applications.
- For applications, I'm using the same fields than Gilad in the GitHub issue, except that I'm doing the correlation in post processing. Since we are both using Cisco routers, I expect the same issues if I try a direct correlation, but I'd be happy to test it / send you a pcap in unicast. - For interfaces, I'm receiving fields #10 (input interface snmp id) and #14 (output interface snmp id) in data flows, and I'm correlating it to option field #82 (interface name short). Option table is indexed on field #10. I'm pasting below the template layouts for reference. _____________________________________________________________________________ | Field | ID | Ent.ID | Offset | Size | ----------------------------------------------------------------------------- | INTERFACE INPUT SNMP | 10 | | 0 | 4 | | interface name short | 82 | | 4 | 32 | | interface name long | 83 | | 36 | 64 | ----------------------------------------------------------------------------- _____________________________________________________________________________ | Field | ID | Ent.ID | Offset | Size | ----------------------------------------------------------------------------- | APPLICATION ID | 95 | | 0 | 4 | | application name | 96 | | 4 | 24 | | application description | 94 | | 28 | 55 | ----------------------------------------------------------------------------- _____________________________________________________________________________ | Field | ID | Ent.ID | Offset | Size | ----------------------------------------------------------------------------- (...) | application id | 95 | | 8 | 4 | | interface input snmp | 10 | | 12 | 4 | | interface output snmp | 14 | | 16 | 4 | (...) ----------------------------------------------------------------------------- Yann On Tue, Jun 6, 2017 at 9:05 PM, Paolo Lucente <pa...@pmacct.net> wrote: > > Hi Yann, > > Great point. There are a very few cases where pmacct does the magics of > correlating actual data to options on your behalf, ie. sampling rate and > application ID. So, given the current functionality, it sounds you are > doing the right thing saving both and correlating it afterwards as part > of your post-processing. It would be great to know - here or via unicast > email - what kind of correlation you are doing. > > Paolo > > > On Tue, Jun 06, 2017 at 03:28:30PM +0200, Yann Belin wrote: >> Hi, >> >> I was reading trough recent issues on GitHub, and #137 [see link >> below] got my attention. The last comment from Paolo leads me to think >> that nfacctd can be configured to (try to) automatically match flow >> data to option table(s). >> >> Is it the case, or am I misreading something? Until now, I have been >> collecting data and options separately (using nfacctd_account_options) >> and had to match it afterwards via a script; such feature could make >> my life quite easier. >> >> Ref. https://github.com/pmacct/pmacct/issues/137 >> >> Thanks, >> >> Yann >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
