Hi,

I need some understanding in exporting the custom defined primitives in
netflow v9 messages, if that is possible, as I want to define custom fields
and send out to netflow collector and visualize using graphs (if the
collector supports custom templates)

As a first step, I am trying to use the custom aggregate primitive  used in
examples/primitives.lst.example.

" Defines a primitive called 'udp_len': base pointer is set to the UDP
header
 (l4:17) plus 4 bytes offset, reads for 2 byte and will present it as
unsigned
 int.

name=udp_len    packet_ptr=l4:17+4      len=2   semantics=u_int
"

I used to classify flows after defining "udp_len" as mentioned above.
My conf file for pmacctd is








*"   daemonize:false   interface: wlp1s0   aggregate_primitives:
primitives.lst   aggregate: etype, proto, src_host, dst_host, src_port,
dst_port, udp_len   plugins: nfprobe, print   nfprobe_receiver:
172.24.1.123:9996 <http://172.24.1.123:9996>   nfprobe_version: 9*
*"*
My primitives.lst file defines custom primitive as follows

*"name=udp_len    packet_ptr=l4:17+4      len=2   semantics=u_int"*

When I run the pmacct "sudo pmacctd -f pmacct.conf", I'm able to see the
flows that has udp_len column displayed in the console using print plugin.

Output of
"sudo pmacctd -f pmacct.conf"

INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd
1.7.2-git (20180701-01)
INFO ( default/core ):  '--enable-l2' '--enable-ipv6' '--enable-64bit'
'--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins'
'--enable-st-bins'
INFO ( default/core ): Reading configuration file
'/home/certes-rajesh/pmacct/pmacct/pmacct.conf'.
INFO ( default/core ): [primitives.lst] (re)loading map.
INFO ( default/core ): [primitives.lst] map successfully (re)loaded.
INFO ( default_nfprobe/nfprobe ): NetFlow probe plugin is originally based
on softflowd 0.9.7 software, Copyright 2002 Damien Miller <d...@mindrot.org>
All rights reserved.
INFO ( default_nfprobe/nfprobe ):           TCP timeout: 3600s
INFO ( default_nfprobe/nfprobe ):  TCP post-RST timeout: 120s
INFO ( default_nfprobe/nfprobe ):  TCP post-FIN timeout: 300s
INFO ( default_nfprobe/nfprobe ):           UDP timeout: 300s
INFO ( default_nfprobe/nfprobe ):          ICMP timeout: 300s
INFO ( default_nfprobe/nfprobe ):       General timeout: 3600s
INFO ( default_nfprobe/nfprobe ):      Maximum lifetime: 604800s
INFO ( default_nfprobe/nfprobe ):       Expiry interval: 60s
INFO ( default_nfprobe/nfprobe ): Exporting flows to [192.168.122.1]:9996
*ERROR ( default_nfprobe/nfprobe ): custom primitive 'udp_len' has null
field_type*
INFO ( default_print/print ): cache entries=16411 base cache
memory=54878384 bytes
WARN ( default_print/print ): no print_output_file and no
print_output_lock_file defined.
INFO ( default/core ): [wlp1s0,0] link type is: 1
*WARN ( default/core ): connection lost to 'default_nfprobe-nfprobe';
closing connection.*
INFO ( default_print/print ): *** Purging cache - START (PID: 2837) ***
ETYPE  SRC_IP
DST_IP                                         SRC_PORT  DST_PORT
PROTOCOL    udp_len  PACKETS               BYTES
86dd   fd50:1d9:a341:f100:8ae:86f3:123d:3654
ff02::fb                                       5353      5353
udp         41       3                     243
.......

When I try to give a dummy field type, it throws
"WARN ( default/core ): [primitives.lst] field_type is only supported in
nfacctd.".

I need help in figuring out whether I'm doing the right thing for exporting
custom fields as part netflow messages as I will need to send out more
custom fields that are read from the packet.
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to