Hi Richard, All, Short follow-up on the email below: peer_src_ip and peer_dst_ip can now be filled with data from NetFlow/sFlow protocols. This has been just committed to the CVS. Log entry follows:
* peer_src_ip (IP address/agent ID of the device exporting NetFlow/sFlow datagrams) and peer_dst_ip (BGP next-hop) can now be filled from NetFlow/ sFlow protocols data. To activate, nfacctd_as_new/sfacctd_as_new have to be 'false' (default value), 'true' or 'file'. Indeed if nfacctd_as_new/sfacctd_as_new is set to 'bgp' instead, such primitives are filled from the BGP protocol - just as before. Hope this is of interest. Cheers, Paolo On Fri, Apr 02, 2010 at 10:19:31AM +0000, Paolo Lucente wrote: > Hi Richard, > > On Fri, Apr 02, 2010 at 03:12:23AM -0500, Richard A Steenbergen wrote: > > > * Record (and aggregate on) the address of the router that exported a > > flow via netflow/sflow. Basically I just want to know which router > > exported the flow to me, using either the agent address if available (on > > sflow, etc), or the source address of the netflow packet. > > As Nitzan correctly mentioned, pre-tagging should be used for this. The > idea is you get a tag instead of the IP address of the NetFlow/sFlow > exporter. If doesn't suit, just let me know: I would see it as a good > feature request. > > > * Record (and aggregate on) the src/dst ifindexes that are exported via > > sflow/netflow protocols. Obviously this would be paired with the router > > id mentioned above to give the ifindex meaning, :) > > As of 0.12.1 (which will be out in roughly a week) or the code currently > in the CVS you have the in_iface and out_iface aggregation primitives. > > The "legacy" way (up to 0.12.0) to do it was via pre-tagging as per the > point before. Of course pre-tagging (so map ifindexes to tags) can still > be used when a stricter control (filter out un-needed stuff) is required > as part of the aggregation process. > > > * Record the mask that was used in a src/dst_net aggregator. I figured > > out how to dynamically aggregate by the netmask value exported via > > netflow/sflow (via the pmacct changelog, it doesn't seem to be in the > > documentation anywhere I could find), but it doesn't record the netmask > > that was used. For example, say I receive an export for a flow to > > > > [ ... ] > > As of 0.12.1 (which will be out in roughly a week) or the code currently > in the CVS you have the src_mask and dst_mask aggregation primitives :-) > You have also a set of [ nfacctd_net | sfacctd_net | pmacctd_net ] config > directives which have as values [ netflow | sflow | mask | file | bgp ]. > It means the network prefix and the netmask can be explicitely grasped out > of: netflow, sflow, bgp, a networks_file: a file where some networks are > listed (can be also a dump of the full BGP table) which makes sense going > libpcap or ULOG really or a static netwosk_mask directive: ie. aggregate > everything to /24: it makes sense once again if going libpcap or ULOG. > > Cheers, > Paolo > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
