nProbe Collector Mode - add current date when dumping flows to CSV

[karankap]

Hi,

I have been using nfcapd to collect netflows and used to export them into a CSV using nfdump. This whole process has been working fine, however, I now have a requirement for which I need to switch over to nProbe (planning to use GTP plugin) to collect flows and dump them as CSV.

While dumping flows, I need to export current date with each flow, I have tried using --custom-fields attribute, but the problem is that it picks up the date when the collector was started and dumps that date. The date command is not evaluated every time a flow is dumped to CSV.

nprobe -n none -3 5502 -P /tmp/netflow/csv -F 300 -G --csv-separator "," --dont-nest-dump-dirs --dont-drop-privileges -T "%IN_BYTES %OUT_BYTES %IN_PKTS %OUT_PKTS %IPV4_SRC_ADDR %IPV4_DST_ADDR %PROTOCOL %PROTOCOL_MAP %L7_PROTO %L7_PROTO_NAME %L4_SRC_PORT %L4_DST_PORT %LAST_SWITCHED %FIRST_SWITCHED %SRC_VLAN %DST_VLAN %DIRECTION %EXPORTER_IPV4_ADDRESS %FLOW_ID %FLOW_START_SEC %FLOW_END_SEC %BIFLOW_DIRECTION %NAT_EVENT %FIREWALL_EVENT %INGRESS_VRFID %FLOW_DURATION_MILLISECONDS %RECEIVED_TIME" --custom-fields "RECEIVED_TIME=date"

Is there a way to dump a dynamic attribute (e.g. datetime when the flow was received by the collector ) which is neither a standard attribute of the netflow nor a proprietary attribute.

[cllasyx]

Hi Karan, have you fixed this issue? I am facing similar problem.