Hi,
About your NetFlow doubts, you should really review how NetFlow works - plenty of doc is available online. You will see that, compared to sFlow, NetFlow caches flows. Not sure about the time point you make, i do not see any timestamp-related primitive (ie. timestamp_start, timestamp_end) mentioned as part of your 'aggregate' line. Paolo On Sat, Aug 11, 2018 at 12:15:10AM +0530, RAJESH KUMAR S.R wrote: > Hi, > > I'm new to pmacct. > I need few clarifications regarding this tool > > I have a doubt regarding using a pcap file as input to pmacct > I'm trying to give a pcap file as input that gets updated continuosly. > > "sudo pmacctd -D -P print -r 30 -I temp.pcap -c etype,src_host,dst_host" > > > The pmacctd tool exits after diplaying a list of flows. > $ sudo pmacctd -P print -r 30 -I temp.pcap -c etype,src_host,dst_host > ....... > 800 172.24.1.186 > 224.0.0.251 1 69 > INFO ( default_print/print ): *** Purging cache - END (PID: 12988, QN: > 272/272, ET: 0) *** > INFO ( default/core ): OK, Exiting ... > > But, the file is updated continuosly. Is there any configuration to read > from the file continuosly. > Also, Is it possible to provide pcap input in .conf file, I used " > pcap_interface: file_path" , but it is not working. > > > Another doubt is regarding Netflow export, > I used pmacctd with following configuration > > " > daemonize:false > pcap_interface:eth0 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos, class > plugins: nfprobe, print > nfprobe_receiver: 127.0.0.1:2100 > nfprobe_version: 9 > " > and nfacctd with this configuration. > " > daemonize: false > nfacctd_ip: 127.0.0.1 > nfacctd_port: 2100 > plugins: memory[display], print > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > " > > nfacctd is displaying the data but most of the time exact match is not > there between the printed data i'm seeing in pmacctd and nfacctd. > Also, the nfacctd doesn't start collecting immediately, it takes some time > for getting printed output in nfacctd side whereas pmacctd continuosly > prints aggregated data. > > I'm not sure where I'm going wrong. > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
