Hi Baseem, The ports_file is not influencial on your original issue - it would only allow you to narrow down ports to a set of interest (for the sake of not getting too much data). Ports are in the template so this looks weird: can you send privately a brief trace of some IPFIX flows (and template so to be able to decode them)? This is for inspecting them and replaying in lab.
Cheers, Paolo On Tue, Apr 12, 2016 at 05:02:51PM +0200, bassem zaki wrote: > Hello again, > > While searching I found that I should add "ports_file:" primitive but I > didn't work for me. > > BR, > Bassem > > On Tue, Apr 12, 2016 at 12:37 PM, bassem zaki <eng.bassem.z...@gmail.com> > wrote: > > > Hello all, > > > > I'm new to pmacct and I'm trying to collect IPFIX flows sent from a cisco > > router using nfacctd and mysql plugin. The problem is I'm not able to > > collect src_port and dst_port although I'm able to collect them using > > another netflow collector (SILK). > > > > *nfacct.conf:* > > > > daemonize: false > > aggregate[dummy]: src_host, dst_host, src_port, dst_port > > nfacctd_port: 4739 > > nfacctd_time_new: true > > plugins: mysql[dummy] > > sql_db: pmacct > > sql_table: acct > > sql_table_version: 1 > > sql_passwd: XXXX > > sql_user: XXXX > > sql_refresh_time: 90 > > sql_history: 10m > > sql_history_roundoff: mh > > > > <SNIP> > > > > +-------------+-------------+--------------+---------------+----------+----------+----------+---------+-------+---------------------+---------------------+ > > | mac_src | mac_dst | ip_src | ip_dst | src_port | > > dst_port | ip_proto | packets | bytes | stamp_inserted | > > stamp_updated | > > > > +-------------+-------------+--------------+---------------+----------+----------+----------+---------+-------+---------------------+---------------------+ > > | 0:0:0:0:0:0 | 0:0:0:0:0:0 | XX.XX.XX.XX | XX.XX.XX.XX | 0 > > | 0 | ip | 1 | 143 | 2016-04-12 11:50:00 | 2016-04-12 > > 11:54:01 | > > > > +-------------+-------------+--------------+---------------+----------+----------+----------+---------+-------+---------------------+---------------------+ > > <SNIP> > > > > <SNIP> > > DEBUG ( default/core ): NfV10 agent : ::ffff:XX.XX.XX.XX:256 > > DEBUG ( default/core ): NfV10 template type : flow > > DEBUG ( default/core ): NfV10 template ID : 269 > > DEBUG ( default/core ): ---------------------------------------- > > DEBUG ( default/core ): | field type | offset | size | > > DEBUG ( default/core ): | IPv4 src addr | 0 | 4 | > > DEBUG ( default/core ): | IPv4 dst addr | 4 | 4 | > > DEBUG ( default/core ): | L4 src port | 8 | 2 | > > DEBUG ( default/core ): | L4 dst port | 10 | 2 | > > DEBUG ( default/core ): | in bytes | 12 | 4 | > > DEBUG ( default/core ): | in packets | 16 | 4 | > > DEBUG ( default/core ): ---------------------------------------- > > ..... > > ..... > > DEBUG ( dummy/mysql ): INSERT INTO `acct` (stamp_updated, stamp_inserted, > > ip_src, ip_dst, src_port, dst_port, ip_proto, mac_src, mac_dst, packets, > > bytes) VALUES (FROM_UNIXTIME(1460456228), FROM_UNIXTIME(1460455800), > > 'XX.XX.XX.XX', 'XX.XX.XX.XX', 0, 0, 'ip', '0:0:0:0:0:0', '0:0:0:0:0:0', 1, > > 123) > > <SNIP> > > > > BR, > > Bassem Zaki > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
