Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
Hi Olaf, On Mon, Sep 19, 2011 at 03:38:28PM +1000, Olaf de Bree wrote: I am however not seeing the NBAR application ID being poputated in the class field is, I have double checked the incoming netflow data with wireshark to make sure that the application ID is actually being exported and it all looks OK is there some extra configuration i need to perform to achive this? No, should have been working with that bit of configuration right away. Can you please send me privately a trace in tcpdump format of these NetFlow packets so that i can have a look myself and reproduce in a lab environment? I suggest we get to the bottom of this and then summarize on the list. Thanks, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
Hi Olaf, On Sat, Sep 17, 2011 at 11:05:02AM +1000, Olaf de Bree wrote: I have nfacctd up and running and it is receiving flows from my test router. when doing a debug i can see #95 field arrive in the net flow template (see debug below) [ ... ] What i really not sure of is how to filter or report on the #95 (Application ID) field on incoming flows and also store in a DB Great, it all looks good so far. I suggest to modify the following aggregation method: aggregate: src_host, dst_host, src_port, dst_port, proto into: aggregate: sum_host, class To start with and verify whether it works. Then you will probably reckon some non-local IP addresses popping up in your accounting (ie. youtube server): my guess is you might not be interested into these and hence you might want to filter in only local networks. Two strategies to accomplish this (read docs for further information) are: aggregate_filter or networks_file. Let me know how it goes. Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
Thanks for your help Paolo, Using your suggested config i'm begining to get out put that would work for me (see below). I am however not seeing the NBAR application ID being poputated in the class field is, I have double checked the incoming netflow data with wireshark to make sure that the application ID is actually being exported and it all looks OK is there some extra configuration i need to perform to achive this? Many thanks Olaf # pmacct -s CLASS SRC_IP PACKETS BYTES unknown 10.1.0.204 303 unknown 10.1.0.7 2 473 unknown 0.0.0.0 52140 36474168 unknown 10.1.0.3 40341 35254306 unknown 10.1.0.233 234 ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] nfacctd and Netflow v9 nbar Application iD
Hi Olaf, Good to see some feedback and interest into this feature. I'd start with a couple basic counter-questions to better understand where the issue lies at the moment: do you already have a Cisco router exporting NBAR information in NetFlow or you are actually seeking for configuration snippets to enable the feature? Regardless, what router model and IOS version are you using? Can you post your current pmacct config? Cheers, Paolo On Fri, Sep 16, 2011 at 05:44:56PM +1000, Olaf de Bree wrote: Hi all, I very new to pmacct, just came across it today acually when looking for a way to account application traffic for subscribers in our network. basically i'm looking to account traffic moving to an from a subsriber based on a Flexible netflow NBAR application ID. for example the output may be as such Subscriber IPNBAR APP IDSum Flows Sum Bytes x.x.x.x x x x According to the Pmacct documentation it supports the NBAR application ID field but i'm really not sure how account on it. any help would be very much apreaciated Cheers Olaf ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
