Re: [pmacct-discussion] nDPI with nfacctd

Wed, 22 Nov 2017 14:56:50 -0800 

Hi Grimur,

You may be mixing two unrelated things, nDPI and NetFlow. nDPI applies
to actual traffic (libpcap, NFLOG); typical NetFlow exports do report
only some elements of the packet headers (further summarised in flows)
in its records so a DPI tecnique can't be applied to it; Cisco provides
classification of flows through NetFlow with what they call NBAR (in
other words, classification must take place on the router when sampling
packets).  

Paolo

On Wed, Nov 22, 2017 at 10:43:31AM +0000, Grímur Daníelsson wrote:
> Hi
> 
> I'm trying to use nDPI with the nfacctd daemon. I've compiled and
> installed everything. I added the class attribute to the aggregate
> list, when I start the daemon it says that it is running with
> --enable-ndpi. Yet every netflow entry says that the class is
> unknown.
> 
> nfacctd.conf:
> 
> plugins: amqp
> aggregate: peer_src_ip, src_host, dst_host, src_port, dst_port,
> proto, class, tos, tcpflags, in_iface, out_iface, etype, vlan,
> flows, export_proto_version
> 
> Example netflow entry:
> 
> {
>     event_type: 'purge',
>     class: 'unknown',
>     vlan: 0,
>     etype: '800',
>     peer_ip_src: 'some-peer-ip',
>     iface_in: 12,
>     iface_out: 14,
>     ip_src: 'some-src-ip',
>     ip_dst: 'some-dst-ip',
>     port_src: 62287,
>     port_dst: 161,
>     tcp_flags: '0',
>     ip_proto: 'udp',
>     tos: 0,
>     sampling_rate: 0,
>     export_proto_version: 9,
>     stamp_inserted: '2017-11-22 10:35:00',
>     stamp_updated: '2017-11-22 10:36:01',
>     flows: 1,
>     packets: 3,
>     bytes: 292,
>     writer_id: 'default_amqp/75018'
> }
> 
> 
> Log output:
> 
> Nov 22 09:57:56 localhost nfacctd[74227]: INFO ( default/core ):
> NetFlow Accounting Daemon, nfacctd 1.7.0-git (20170924-00)
> Nov 22 09:57:56 localhost nfacctd[74227]: INFO ( default/core ):
> '--enable-rabbitmq' '--enable-jansson' '--enable-ndpi' '--enable-l2'
> '--enable-ipv6' '--enable-64bit' '--enable-threads'
> '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
> '--enable-st-bins'
> 
> 
> Any idea what might be causing the problem?
> 
> Thanks,
> 
> Grímur
> 
> 
> 
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to