Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD

2011-09-18 Thread Paolo Lucente 
Hi Olaf,

On Sat, Sep 17, 2011 at 11:05:02AM +1000, Olaf de Bree wrote:

 I have nfacctd up and running and it is receiving flows from my test
 router.
 
 when doing a debug i can see #95 field arrive in the net flow template (see
 debug below)
 
 [ ... ]
 
 What i really not sure of is how to filter or report on the #95 (Application
 ID) field on incoming flows and also store in a DB

Great, it all looks good so far. I suggest to modify the following aggregation
method:

aggregate: src_host, dst_host, src_port, dst_port, proto

into:

aggregate: sum_host, class

To start with and verify whether it works. Then you will probably reckon some
non-local IP addresses popping up in your accounting (ie. youtube server): my
guess is you might not be interested into these and hence you might want to
filter in only local networks. Two strategies to accomplish this (read docs
for further information) are: aggregate_filter or networks_file.

Let me know how it goes.

Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD

2011-09-18 Thread Olaf de Bree 
Thanks for your help Paolo,

Using your suggested config i'm begining to get out put that would work for
me (see below).

I am however not seeing the NBAR application ID being poputated in the class
field is, I have double checked the incoming netflow data with wireshark to
make sure that the application ID is actually being exported and it all
looks OK

is there some extra configuration i need to perform to achive this?

Many thanks

Olaf

# pmacct -s
CLASS SRC_IP   PACKETS   BYTES
unknown   10.1.0.204 303
unknown   10.1.0.7 2 473
unknown   0.0.0.0  52140 36474168
unknown   10.1.0.3 40341 35254306
unknown   10.1.0.233 234
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists