Hi, I need some understanding in exporting the custom defined primitives in netflow v9 messages, if that is possible, as I want to define custom fields and send out to netflow collector and visualize using graphs (if the collector supports custom templates)
As a first step, I am trying to use the custom aggregate primitive used in examples/primitives.lst.example. " Defines a primitive called 'udp_len': base pointer is set to the UDP header (l4:17) plus 4 bytes offset, reads for 2 byte and will present it as unsigned int. name=udp_len packet_ptr=l4:17+4 len=2 semantics=u_int " I used to classify flows after defining "udp_len" as mentioned above. My conf file for pmacctd is *" daemonize:false interface: wlp1s0 aggregate_primitives: primitives.lst aggregate: etype, proto, src_host, dst_host, src_port, dst_port, udp_len plugins: nfprobe, print nfprobe_receiver: 172.24.1.123:9996 <http://172.24.1.123:9996> nfprobe_version: 9* *"* My primitives.lst file defines custom primitive as follows *"name=udp_len packet_ptr=l4:17+4 len=2 semantics=u_int"* When I run the pmacct "sudo pmacctd -f pmacct.conf", I'm able to see the flows that has udp_len column displayed in the console using print plugin. Output of "sudo pmacctd -f pmacct.conf" INFO ( default/core ): Promiscuous Mode Accounting Daemon, pmacctd 1.7.2-git (20180701-01) INFO ( default/core ): '--enable-l2' '--enable-ipv6' '--enable-64bit' '--enable-traffic-bins' '--enable-bgp-bins' '--enable-bmp-bins' '--enable-st-bins' INFO ( default/core ): Reading configuration file '/home/certes-rajesh/pmacct/pmacct/pmacct.conf'. INFO ( default/core ): [primitives.lst] (re)loading map. INFO ( default/core ): [primitives.lst] map successfully (re)loaded. INFO ( default_nfprobe/nfprobe ): NetFlow probe plugin is originally based on softflowd 0.9.7 software, Copyright 2002 Damien Miller <[email protected]> All rights reserved. INFO ( default_nfprobe/nfprobe ): TCP timeout: 3600s INFO ( default_nfprobe/nfprobe ): TCP post-RST timeout: 120s INFO ( default_nfprobe/nfprobe ): TCP post-FIN timeout: 300s INFO ( default_nfprobe/nfprobe ): UDP timeout: 300s INFO ( default_nfprobe/nfprobe ): ICMP timeout: 300s INFO ( default_nfprobe/nfprobe ): General timeout: 3600s INFO ( default_nfprobe/nfprobe ): Maximum lifetime: 604800s INFO ( default_nfprobe/nfprobe ): Expiry interval: 60s INFO ( default_nfprobe/nfprobe ): Exporting flows to [192.168.122.1]:9996 *ERROR ( default_nfprobe/nfprobe ): custom primitive 'udp_len' has null field_type* INFO ( default_print/print ): cache entries=16411 base cache memory=54878384 bytes WARN ( default_print/print ): no print_output_file and no print_output_lock_file defined. INFO ( default/core ): [wlp1s0,0] link type is: 1 *WARN ( default/core ): connection lost to 'default_nfprobe-nfprobe'; closing connection.* INFO ( default_print/print ): *** Purging cache - START (PID: 2837) *** ETYPE SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL udp_len PACKETS BYTES 86dd fd50:1d9:a341:f100:8ae:86f3:123d:3654 ff02::fb 5353 5353 udp 41 3 243 ....... When I try to give a dummy field type, it throws "WARN ( default/core ): [primitives.lst] field_type is only supported in nfacctd.". I need help in figuring out whether I'm doing the right thing for exporting custom fields as part netflow messages as I will need to send out more custom fields that are read from the packet.
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
