Ah yes! It was only missing from my aggregate list. Thanks again, I am really liking this tool!
- matt --- On Thu, 3/19/09, Paolo Lucente <[email protected]> wrote: > From: Paolo Lucente <[email protected]> > Subject: Re: [pmacct-discussion] ip_proto field (wrt netflow) > To: [email protected] > Date: Thursday, March 19, 2009, 12:29 PM > > -----Inline Attachment Follows----- > > Hi Matt, > > "IP" is the default ip_proto pmacct shows in two cases: 1) > when it > is unable to gather such information, for example from the > received > NetFlow packet or 2) when the "proto" primitive is not part > of the > aggregation profile ("aggregate" configuration directive or > "-c" > commandline). > > Maybe the easiest to check is your pmacct configuration; if > not > sure, post your configuration here so that we can have a > look; then > you might want to check in Wireshark whether the field is > filled in > properly within the NetFlow packet. > > Cheers, > Paolo > > On Thu, Mar 19, 2009 at 10:56:19AM -0700, Matt Lawson > wrote: > > > > > > > > I have nfacctd working pretty well now. One > question though. The "ip_proto" field always indicates > "ip". It is possible using netflow (version 9 *I > think*), to determine whether the type of the described > flows are TCP vs. UDP ? > > > > Does this require configuration on the router, in the > nfacctd file, or is pmacctd the only daemon which can > categorize flows as TCP/UDP? > > > > Thanks. > > > > - matt > > > > > > > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
