Howdy there. I've been experimenting with nfacctd and it's be a delight to setup. (very simple config)
A quick note: Some of the IPFIX Field types aren't being decoded in debug... eg. DEBUG ( default/core ): NfV10 template type : flow DEBUG ( default/core ): NfV10 template ID : 256 DEBUG ( default/core ): ----------------------------------------------------- DEBUG ( default/core ): | pen | field type | offset | size | DEBUG ( default/core ): | 0 | IPv4 src addr | 0 | 4 | DEBUG ( default/core ): | 0 | IPv4 dst addr | 4 | 4 | DEBUG ( default/core ): | 0 | tos | 8 | 1 | DEBUG ( default/core ): | 0 | L4 protocol | 9 | 1 | DEBUG ( default/core ): | 0 | L4 src port | 10 | 2 | DEBUG ( default/core ): | 0 | L4 dst port | 12 | 2 | DEBUG ( default/core ): | 0 | icmp type | 14 | 2 | DEBUG ( default/core ): | 0 | input snmp | 16 | 4 | DEBUG ( default/core ): | 0 | IPv4 src mask | 20 | 1 | DEBUG ( default/core ): | 0 | IPv4 dst mask | 21 | 1 | DEBUG ( default/core ): | 0 | src as | 22 | 4 | DEBUG ( default/core ): | 0 | dst as | 26 | 4 | DEBUG ( default/core ): | 0 | IPv4 next hop | 30 | 4 | DEBUG ( default/core ): | 0 | tcp flags | 34 | 1 | DEBUG ( default/core ): | 0 | output snmp | 35 | 4 | DEBUG ( default/core ): | 0 | in bytes | 39 | 8 | DEBUG ( default/core ): | 0 | in packets | 47 | 8 | DEBUG ( default/core ): | 0 | 152 | 55 | 8 | DEBUG ( default/core ): | 0 | 153 | 63 | 8 | DEBUG ( default/core ): | 0 | 136 | 71 | 1 | DEBUG ( default/core ): ----------------------------------------------------- Field types 152,152 and 136 appear to be documented in RFC 5102. http://www.ietf.org/rfc/rfc5102.txt 152 = flowStartMilliseconds 153 = flowStartMilliseconds 136 = flowEndReason But they do not appear to be as-yet 'understood' by pmacct. Not sure if this is useful, but thought you might like to know. Cheers, Joel
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists