Hi Richard, On Fri, Apr 02, 2010 at 03:12:23AM -0500, Richard A Steenbergen wrote:
> * Record (and aggregate on) the address of the router that exported a > flow via netflow/sflow. Basically I just want to know which router > exported the flow to me, using either the agent address if available (on > sflow, etc), or the source address of the netflow packet. As Nitzan correctly mentioned, pre-tagging should be used for this. The idea is you get a tag instead of the IP address of the NetFlow/sFlow exporter. If doesn't suit, just let me know: I would see it as a good feature request. > * Record (and aggregate on) the src/dst ifindexes that are exported via > sflow/netflow protocols. Obviously this would be paired with the router > id mentioned above to give the ifindex meaning, :) As of 0.12.1 (which will be out in roughly a week) or the code currently in the CVS you have the in_iface and out_iface aggregation primitives. The "legacy" way (up to 0.12.0) to do it was via pre-tagging as per the point before. Of course pre-tagging (so map ifindexes to tags) can still be used when a stricter control (filter out un-needed stuff) is required as part of the aggregation process. > * Record the mask that was used in a src/dst_net aggregator. I figured > out how to dynamically aggregate by the netmask value exported via > netflow/sflow (via the pmacct changelog, it doesn't seem to be in the > documentation anywhere I could find), but it doesn't record the netmask > that was used. For example, say I receive an export for a flow to > > [ ... ] As of 0.12.1 (which will be out in roughly a week) or the code currently in the CVS you have the src_mask and dst_mask aggregation primitives :-) You have also a set of [ nfacctd_net | sfacctd_net | pmacctd_net ] config directives which have as values [ netflow | sflow | mask | file | bgp ]. It means the network prefix and the netmask can be explicitely grasped out of: netflow, sflow, bgp, a networks_file: a file where some networks are listed (can be also a dump of the full BGP table) which makes sense going libpcap or ULOG really or a static netwosk_mask directive: ie. aggregate everything to /24: it makes sense once again if going libpcap or ULOG. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists