Hi Matt,
"IP" is the default ip_proto pmacct shows in two cases: 1) when it
is unable to gather such information, for example from the received
NetFlow packet or 2) when the "proto" primitive is not part of the
aggregation profile ("aggregate" configuration directive or "-c"
commandline).
Maybe the easiest to check is your pmacct configuration; if not
sure, post your configuration here so that we can have a look; then
you might want to check in Wireshark whether the field is filled in
properly within the NetFlow packet.
Cheers,
Paolo
On Thu, Mar 19, 2009 at 10:56:19AM -0700, Matt Lawson wrote:
>
>
>
> I have nfacctd working pretty well now. One question though. The "ip_proto"
> field always indicates "ip". It is possible using netflow (version 9 *I
> think*), to determine whether the type of the described flows are TCP vs. UDP
> ?
>
> Does this require configuration on the router, in the nfacctd file, or is
> pmacctd the only daemon which can categorize flows as TCP/UDP?
>
> Thanks.
>
> - matt
>
>
>
>
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
