You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.


  1. UPGRAGE guidelines.
  2. pmacct is developed keeping an eye to backward compatibility: the upgrade to
  3. some newer version should be as smooth as possible from an user standpoint.
  4. However, sometimes the upgrade may require some operations aimed to support
  5. the changes done or break old assumptions no longer valid; while the effort
  6. is to keep these cases at a low, please read this file in preparation to
  7. upgrading your installation.
  8. TO: >= 1.7.0
  9. FROM: <= 1.6.2
  10. TOPIC: Obsoleted features
  11. DESC: Following is the list of features, knobs and plugins that are being
  12. discontinued with release 1.7:
  13. * MongoDB plugin is being discontinued since the old Mongo API is
  14. not supported anymore and there has never been enough push from
  15. the community to transition to the new/current API (which would
  16. require a rewrite of most of the plugin)
  17. * Packet classification basing on the L7-filter project is being
  18. discontinued (ie. 'classifiers' directive). This is being replaced
  19. by an implementation basing on the nDPI project. As part of this
  20. also the sql_aggressive_classification knob has been discontinued.
  21. * tee_receiver was part of the original implementation of the tee
  22. plugin, allowing to forward to a single target and hence requiring
  23. multiple plugins instantiated, one per target. Since 0.14.3 this
  24. directive was effectively outdated by tee_receivers.
  25. * tmp_net_own_field knob was allowing to revert to backward compatible
  26. behaviour of IP prefixes (ie. src_net) being written in the same
  27. field as IP addresses (ie. src_host)
  28. * tmp_comms_same_field knob was allowing to revert to backward
  29. compatible behaviour of BGP communities (standard, extended) being
  30. writeen all in the same field.
  31. * plugin_pipe_amqp and plugin_pipe_kafka features were meant as an
  32. alternative to the homegrown queue solution for internal messaging,
  33. ie. passing data from the Core Process to Plugins, and are being
  34. discontinued. They are being replaced by a new implementation,
  35. plugin_pipe_zmq, basing on ZeroMQ.
  36. * plugin_pipe_backlog was allowing to keep an artificial backlog of
  37. data in the Core Process so for plugins to maximise bypass poll()
  38. syscalls in plugins. If home-grown queueing is found limiting,
  39. instead of falling back to such strategies, ZeroMQ queueing should
  40. be used.
  41. TO: >= 1.7.0
  42. FROM: <= 1.6.2
  43. TOPIC: change to sql_num_hosts
  44. DESC: When sql_num_hosts is enabled and pmacct is not compiled with
  45. --disable-ipv6, INET6_ATON() is now used for both IPv4 and IPv6 with
  46. MySQL and SQLite. Tables should be upgraded by changing columns from
  47. INT(4) to VARBINARY(16) and then converting data - for MySQL:
  49. UPDATE table SET ip_src = INET6_ATON(INET_NTOA(ip_src))
  51. This has performance implications which are mentioned in README.IPv6.
  52. TO: >= 1.6.2
  53. FROM: <= 1.6.1
  54. TOPIC: default plugin names
  55. DESC: Plugin names had to be unique per plugin type, meaning two plugins
  56. could be named "foobar" if they were of different type. Such behaviour
  57. has proven to lead to ambiguous scenarios and hence now plugin names
  58. must be globally unique. If not naming a plugin, its default name
  59. will now be "default_<plugin type>" instead of "default". Any piece
  60. of configuration that attaches directives to the "default" name, ie.
  61. relying on the assumption the plugin name defaults to "default", must
  62. be reviewed.
  63. TO: >= 1.6.2
  64. FROM: <= 1.6.1
  65. TOPIC: print_time_roundoff configuration directive suppressed
  66. DESC: The directive was renamed print_history_roundoff for consistency with
  67. other plugins. print_time_roundoff was already removed from documents
  68. for the past 3+ years.
  69. TO: >= 1.6.2
  70. FROM: <= 1.6.1
  71. TOPIC: sFlow probe (sfprobe plugin) and tags and class primitives
  72. DESC: Historically enterprise #8800 was squatted for the purpose of encoding
  73. pmacct-specific fields in sFlow, ie. tags and class. This never got
  74. changed when pmacct was assigned its own enterprise number (#43874) by
  75. IANA. In 1.6.2, these primitives are moved from #8800 to #43874 making
  76. older exports not compatible anymore.
  77. TO: >= 1.6.1
  78. FROM: <= 1.6.0
  79. TOPIC: BGP communities and AS-PATH
  80. DESC: In pmacct 1.6.1 BGP communities and AS-PATH primitives (ie. std_comm,
  81. ext_comm, as_path, etc.) were moved from being fixed length to the
  82. variable-length framework, allowing for very long lists of communities
  83. or paths to be integrally represented. The IMT plugin is excluded from
  84. this work and these primitives will still be fixed length. Also, these
  85. primitives are not going to be supported anymore in the formatted output
  86. (but they will be no problem in the CSV, JSON and Avro output formats)
  87. of the print plugin. Btw, the formatted output support for the print
  88. plugin will be eventually discontinued in future so it is good to move
  89. away from it.
  90. TO: >= 1.6.1
  91. FROM: <= 1.6.0
  92. TOPIC: BGP extended communities (ext_comm, src_ext_comm primitives)
  93. DESC: Some legacy decision (..) made BGP standard and extended communities be
  94. written to the same field, mutual excluding each other. This behaviour
  95. has now been changed with each community type being written to the own
  96. field. For backward compatibility purposes a temporary config directive
  97. has been introduced, tmp_comms_same_field, that - if set to true - does
  98. enable the old behaviour. The config directive will be removed at the
  99. next major release.
  100. TO: >= 1.6.1
  101. FROM: <= 1.6.0
  102. TOPIC: print_markers
  103. DESC: In the print plugin, start marker is now printed also in the case where
  104. print_output_file_append is set to true; also, markers are printed as a
  105. JSON object, if output is set to JSON.
  106. TO: >= 1.6.0
  107. FROM: <= 1.5.3
  108. TOPIC: uacctd switched from ULOG to NFLOG
  109. DESC: NFLOG supports both IPv4 and IPv6. While ULOG is still supported in
  110. recent kernels, NFLOG is supported since 2.6.14 and there is little
  111. point to support both - so a switch was made. The new daemon depends
  112. on the package libnetfilter-log-dev (in Debian/Ubuntu or equivalent
  113. in the prefered Linux distribution). For a quick test one can setup
  114. iptables to produce data in one of the following ways:
  115. * iptables -t mangle -I POSTROUTING -j NFLOG --nflog-group 4
  116. * iptables -t raw -I PREROUTING -j NFLOG --nflog-group 4
  117. And use the following command to collect data back:
  118. uacctd -c in_iface,out_iface,src_mac,dst_mac,src_host,dst_host,proto,src_port,dst_port -P print -g 4
  119. TO: >= 1.6.0
  120. FROM: <= 1.5.3
  121. TOPIC: build system refreshed
  122. DESC: autoconf and automake from early 2000 were being used to compile the
  123. build system until 1.5.3. This was for the sake of simplicity and
  124. robustness and, of course, came with drawbacks: somebody wanting to
  125. touch the build system should know which version of the tools to use,
  126. no leverage of the latest and greatest advancements made in the last
  127. one and half decades. The switch for should be almost transparent,
  128. the only impact being how to supply information in case the build
  129. system is unable to determine location of libraries (ie. via pkg-config
  130. and checking "typical" locations like /usr/local/lib): taking as an
  131. example PostgreSQL, before --with-pgsql-libs and --with-pgsql-includes
  132. were to be used to supply path to library and headers respectively;
  133. now environment variables PGSQL_LIBS and PGSQL_CFLAGS should be used
  134. instead for the same purpose, ie.:
  135. PGSQL_LIBS="-L/usr/local/postgresql/lib -lpq"
  136. PGSQL_CFLAGS="-I/usr/local/postgresql/include"
  137. ./configure --enable-pgsql
  138. TO: >= 1.6.0
  139. FROM: <= 1.5.3
  140. TOPIC: nfacctd_disable_checks and sfacctd_disable_checks
  141. DESC: Default for this feature changed from false to true, ie. log warning
  142. messages for failing basic checks against incoming NetFlow/sFlow
  143. datagrams is disabled. For sequencing checks, the 'export_proto_seqno'
  144. primitive is recommended instead.
  145. TO: >= 1.6.0
  146. FROM: <= 1.5.3
  147. TOPIC: sql_recovery_logfile
  148. DESC: Feature removed from pmacct along with pmmyplay and pmpgplay logfile
  149. replay tools.
  150. TO: >= 1.6.0
  151. FROM: <= 1.5.3
  152. TOPIC: MongoDB C legagy driver releases <= 0.8
  153. DESC: Support for MongoDB C legacy driver prior to 0.8 is dropped; in 0.8
  154. release, the most current version of the legacy driver, there was an
  155. impacting change of API; unfortunately in mongo.h the version was not
  156. updated and it looks the legacy driver is not maintained anymore (so
  157. no chance to have the nit fixed). The only way out seemed to default
  158. to the 0.8 behaviour, as that is the one currently being downloaded
  159. from GitHub by users.
  160. TO: >= 1.6.0
  161. FROM: <= 1.5.3
  162. TOPIC: src_net and dst_net primitives
  163. DESC: Until 1.5.3 src_net and dst_net primitives value was written in the
  164. same field as src_host and dst_host - hence making the two sets mutual
  165. exclusive. This was found limiting by several users and, as a result of
  166. that, a separate field was added for storing networks (see "Increased
  167. memory usage by plugin caches" entry in this document). The use of such
  168. separate field had to be explicitely enabled by setting tmp_net_own_field
  169. configuration directive to true (by default set to false for backward
  170. compatibility); in version 1.6.0, tmp_net_own_field default value has
  171. now changed to true. tmp_net_own_field will be removed at the next
  172. major release.
  173. TO: >= 1.5.2
  174. FROM: <= 1.5.1
  175. TOPIC: --enable-ipv6 , IPv4-mapped IPv6 addresses & bindv6only
  176. DESC: Explicit support for IPv4-mapped IPv6 addresses was removed and now the
  177. bindv6only kind of behaviour is expected to be false (ie. both v4, via
  178. v4-mapped v6 addresses, and v6 addresses can connect to the v6 socket).
  179. On BSDs this is enforced in the code via a setsockopt() call; on Linux
  180. /proc/sys/net/ipv6/bindv6only is meant to enable/disable the feature.
  181. If binding to a "::" address (ie. no [sn]facctd_ip specified when pmacct
  182. is compiled with --enable-ipv6) no packets from IPv4 senders are not
  183. being received, then please check your bindv6only kernel setting.
  184. TO: >= 1.5.2
  185. FROM: <= 1.5.1
  186. TOPIC: sql_history_since_epoch
  187. DESC: The effect of configuration directive sql_history_since_epoch has been
  188. ported to encompass any timestamp in pmacct, ie. timestamp_start and
  189. timestamp_end primitives, nfacctd_stitching, sfacctd counters filename,
  190. etc. The directive has hence been renamed timestamps_since_epoch. The
  191. old name, sql_history_since_epoch, has been removed from documentation
  192. but it is still going to be accepted in the configuration until the next
  193. major release for the sake of backwards compatibility.
  194. TO: >= 1.5.1
  195. FROM: <= 1.5.0
  196. TOPIC: Increased memory usage by plugin caches
  197. DESC: Source and destination IP prefixes aggregaton primitives, src_net and
  198. dst_net, now feature a separate field so to not be mutually exclusive
  199. with aggregation over IP addresses, ie. src_host and dst_host. In 1.5
  200. this can be optionally enabled by setting tmp_net_own_field to true;
  201. in later releases this behaviour will become default. The extra fields
  202. for IP prefixes do take additional memory in plugins cache - meaning
  203. values for pre-allocated cache enries, ie. print_cache_entries, if
  204. configured to tight to available resources might generate SEGV and
  205. have to be reviewed downward.
  206. TO: >= 1.5.0
  207. FROM: <= 1.5.0rc3
  208. TOPIC: nfprobe plugin, NetFlow v9 export and flow timestamps
  209. DESC: timestamps for nfprobe plugin NetFlow v9 export are now absolute and
  210. in msecs, using field types #152 and #153. timestamps_secs can be set
  211. to true in order to revert to timestamps relative and in secs, using
  212. fields types #21 and #22.
  213. TO: >= 1.5.0
  214. FROM: <= 1.5.0rc3
  215. TOPIC: nfprobe plugin, NetFlow/IPFIX exports and tag, tag2 primitives
  216. DESC: tag and tag2 primitives can now be exported by nfprobe plugin only
  217. using IPFIX transport (nfprobe_version: 10). This is because, being
  218. custom pmacct field types, they have moved inside pmacct PEN for a
  219. cleaner solution (PENs not being supported by NetFlow v9).
  220. TO: >= 1.5.0
  221. FROM: <= 1.5.0rc3
  222. TOPIC: NetFlow/IPFIX, print/AMQP/MongoDB plugins & time syncronization
  223. DESC: In 1.5.0 print/AMQP/MongoDB plugins are brought on par to SQL plugins
  224. by which flows/data with a future timestamp than the one currently
  225. being flushed is retained in the cache - to give further chances to
  226. in-memory data aggregation. This is intuitive, consistent behaviour
  227. but could happen time syncronization between collector and NetFlow/
  228. IPFIX agents was not an issue and suddenly it appears pmacct is not
  229. writing to the backend anymore. Solution is simply to sync all via
  230. NTP and use same timezone (recommended UTC for all).
  231. TO: >= 1.5.0rc3
  232. FROM: <= 1.5.0rc2
  233. TOPIC: nfacctd, sfacctd & plugin_pipe_size
  234. DESC: nfacctd_pipe_size and sfacctd_pipe_size configuration directives
  235. are being introduced in order to set the socket size between the
  236. daemons and the kernel. Until 1.5.0rc2 the same was accomplished,
  237. the dirty way, via existing plugin_pipe_size config directive when
  238. assigned to the core process. If relying on this trick on 1.5.0rc2
  239. and upgrading this can silently create packet loss on 1.5.0r3 and
  240. later (packet loss can be checked by veryfing that the counter
  241. showed by "netstat -s | grep Rcv" is not increasing).
  242. TO: >= 1.5.0rc3
  243. FROM: <= 1.5.0rc2
  244. TOPIC: MySQL plugin, additional libraries required when compiling
  245. DESC: MySQL 5.6 and later require linking against libstdc++ and librt. For
  246. this reason, when compiling MySQL plugin, it's now required that the
  247. development packages for these two libraries must be installed on the
  248. host system. Checks for this are introduced at configure script time.
  249. It is not checked which MySQL version is installed so the requirement
  250. for these libraries is made retroactive.
  251. TO: >= 1.5.0rc3
  252. FROM: <= 1.5.0rc2
  253. TOPIC: SQL plugins, agent_id2 field
  254. DESC: Over the years, agent_id, agent_id2 fields were found confusing to
  255. store tag, tag2 primitives respectively. agent_id is now renamed 'tag'
  256. and backwards compatibility is preserved by issuing schema version #9.
  257. agent_id2 is not defined in any sql_table_schema instead and hence its
  258. renaming will be disruptive for existing deployments.
  259. TO: >= 1.5.0rc2
  260. FROM: <= 1.5.0rc1
  261. TOPIC: print plugin, dynamic file names and pointer to latest file
  262. DESC: Until 1.5.0rc1 pointer to latest file available was built as "<plugin
  263. name>-latest". Possibility to build variable spool directory structure
  264. and introduction of primitives-related variables, ie. $peer_src_ip, do
  265. phase-out the simple way of producing pointers, jeopardizing backward
  266. compatibility aswell. From 1.5.0rc2 a print_latest_file configuration
  267. directive allows to explicitely define pointer(s) to latest file(s):
  268. please refer to CONFIG-KEYS for more details about the feature. When
  269. upgrading, it is recommended to delete existing symlinks.
  270. TO: >= 1.5.0rc2
  271. FROM: <= 1.5.0rc1
  272. TOPIC: print plugin, dynamic file names and time-related variables
  273. DESC: Time-related variables substitution is now based solely on the value of
  274. print_history. Previously, if print_history was not specified, this was
  275. based on the value of print_refresh_time. While this breaks backward-
  276. compatibility, it makes print plugin acting consistently to the rest of
  277. pmacct plugins.
  278. TO: >= 1.5.0rc1
  279. FROM: <= 0.14.3
  280. TOPIC: print plugin, no entries to print_output_file
  281. DESC: In line with SQL plugins, in case there are no entries to account for the
  282. last print_refresh_time period, the purge function will not be invoked.
  283. As a result of that, if print_output_file contains time-based variables
  284. and if required to, output files will not be created anymore in case of
  285. no traffic to account for. Until 0.14.3, under same conditions, an empty
  286. output file (title only in case of formatted, CSV output) would have been
  287. printed out.
  288. TO: >= 1.5.0rc1
  289. FROM: <= 0.14.3
  290. TOPIC: IPv6, peer_src_ip primitive, NetFlow exporter IP address
  291. DESC: Upon enabling IPv6 at compile time, via --enable-ipv6 switch, an IPv4
  292. NetFlow exporter IP address, ie., was being written as IPv4-
  293. mapped IPv6 address, ie. ::ffff: This was causing confusion
  294. when composing maps, ie. the 'ip' field would change depending on whether
  295. IPv6 was enabled or not. To make maps consistent and simplify transitions
  296. to IPv6 compiled pmacct executables, IPv4-mapped IPv6 addresses are now
  297. internally translated to plain IPv4 ones.
  298. TO: >= 0.14.3
  299. FROM: <= 0.14.2
  300. TOPIC: networks_file & host aggregation primitives
  301. DESC: In previous releases defining a networks_file in conjunction with host
  302. aggregation primitives would automatically work as a filter (ie. zero out
  303. hosts not included in the networks_file); whereas defining a networks_file
  304. in conjunction with net primitives would only work as a resolver. Now this
  305. behaviour has been streamlined by introducing a networks_file_filter true-
  306. false configuration directive to explicitely enable/disable the filtering
  307. feature (for both host and net primitives) on top of the resolver one. To
  308. summarize: if using a networks_file in conjunction with host aggregation
  309. primitives, and in order to keep the same behaviour while upgrading, a
  310. line should be added to the configuration: "networks_file_filter: true".
  311. TO: >= 0.14.3
  312. FROM: <= 0.14.2
  313. TOPIC: xlate_src and xlate_dst
  314. DESC: Feature has been obsoleted and replaced by proper aggregation primitives
  315. (nat_event, post_nat_*) to support NEL (NetFlow Event Logging) as currently
  316. implemented on Cisco ASR devices and to support CGNAT kind of scenarios.
  317. TO: >= 0.14.3
  318. FROM: <= 0.14.2
  319. TOPIC: nfacctd_sql_log
  320. DESC: Feature has been obsoleted and replaced by proper aggregation primitives
  321. (timestamp_start, timestamp_end) that effectively convert pmacct into a
  322. logger if enabled.
  323. TO: >= 0.14.0
  324. FROM: <= 0.14.0rc3
  325. TOPIC: peer_dst_ip
  326. DESC: The peer_dst_ip primitive is being attached to IP prefix resolution method
  327. (ie. as defined by nfacctd_net directive) from AS number resolution method
  328. in the past (ie. as defined by nfacctd_as_new directive).
  329. TO: >= 0.14.0
  330. FROM: <= 0.14.0rc3
  331. TOPIC: Fallback resolution of networks and ASNs (ie. nfacctd_net, nfacctd_as_new)
  332. DESC: Longest match wins has been introduced to select which route resolution
  333. method to use in fallback scenarios. For example up to 0.14.0rc3, a route
  334. advertised via BGP would have been winning over any more specific route
  335. learned via sFlow/NetFlow regardless.
  336. TO: >= 0.14.0rc3
  337. FROM: <= 0.14.0rc2
  338. TOPIC: is_symmetric
  339. DESC: Support for is_symmetric aggregation primitive has been ceased due to lack
  340. of interest from the general community.
  341. TO: >= 0.14.0rc3
  342. FROM: <= 0.14.0rc2
  343. TOPIC: peer_src_ip
  344. DESC: peer_src_ip primitive must represent a reference (IP address, Agent ID) of
  345. the NetFlow or sFlow emitter for a certain flow. Due to previous work, this
  346. primitive was connected to the [ns]facctd_as_new mechanism which, if set to
  347. 'bgp', was making it represent the IP address of a BGP peer instead. This is
  348. found not correct and hence peer_src_ip has now been disconnected from the
  349. [ns]facctd_as_new feature and always constitutes a reference to the NetFlow
  350. or sFlow emitter.
  351. TO: >= 0.14.0rc2
  352. FROM: <= 0.14.0rc1
  353. TOPIC: NetFlow v9 sampling
  354. DESC: Support for sampling in NetFlow v9 and IPFIX is elegant from an architecture
  355. point of view - but complex if compared to NetFlow v5 and sFlow for example.
  356. Such increased complexity lacking of proper framing by means of a supportive
  357. RFC exposes to bizzarre and creative implementations by vendors. 0.14.0rc2
  358. introduces fixes and workarounds to its sampled NetFlow v9 support in an
  359. effort to tackle specific but popular platforms among operators - and which
  360. can result in breaking some backward compatibility in this sense. 0.14.0rc2
  361. introduces a sampling_map feature, which although not rocket science from a
  362. concept point of view, it helps supporting sampled NetFlow v9 in heterogeneous
  363. network hardware environments at the cost of an extra static setting to care
  364. about; on the other hand it's also true sampling rates are often uniform and
  365. seldomly redefined in a production network.
  366. TO: >= 0.12.1
  367. FROM <= 0.12.0
  368. TOPIC: Data source for ASNs must be explicitely defined
  369. DESC: data source for 'src_as' and 'dst_as' primitives for nfprobe and sfprobe
  370. plugins is now expected to be explicitely defined via the [ pmacctd_as |
  371. uacctd_as ] directive. All other plugins were already working like that.
  372. In terms of backward compatibility the only case affected is getting ASN
  373. values out of a Networks File: up to 0.12.0, it was sufficient to define
  374. a networks_file to implicitely use it.
  375. TO: >= 0.12.0rc1
  376. FROM: <= 0.11
  377. TOPIC: agent_id size and SQL table schemas
  378. DESC: With release 0.12, the agent_id field becomes 4-bytes large (from 2-bytes
  379. previously). SQL table schemas have been updated accordingly. If running
  380. a previous release and upgrading, you might incur into the risk that both
  381. Pre/Post-tagging infrastructures will accept values up to ~4M while the
  382. underlying SQL table schema is configured with a 2-bytes field. Solution
  383. is to run an "ALTER TABLE" statement to increase the field size during a
  384. maintenance window.
  385. TO: >= 0.12.0rc1
  386. FROM: <= 0.11
  387. TOPIC: nfprobe plugin: NetFlow v9 and 32-bit ASNs
  388. DESC: Release 0.12 introduces support for 32-bit ASNs in pmacct; things do not
  389. change in NetFlow v5 as if a 32-bit ASN is encountered, it is written as
  390. AS23456. In NetFlow v9, though, the source and destination AS fields are
  391. specified as 4 bytes long in the template. Given the template nature of
  392. NetFlow v9, this shouldn't pose a problem with 3rd party implementations
  393. but it's better to pay some extra attention while upgrading an existing
  394. installation.
  395. TO: >= 0.10.0
  396. FROM: <= 0.10.0rc3
  397. TOPIC: Configuration directives and command-line options
  398. DESC: In all previous releases, commandline options ( ie. -D -c ) were mutually
  399. exclusive with respect to configuration directives; now, they can cohexist
  400. and, more specifically, commandline options will override the content of
  401. the configuration file. This exposes to more interesting usages:
  402. shell> pmacctd -I <tracefile> -f <cfg>
  403. to launch pmacctd sharing an unique configuration file while reading data
  404. from different tcpdump/ethereal tracefiles among multiple runs.
  405. TO: >= 0.8.3
  406. FROM: <= 0.8.2
  407. TOPIC: Pre-Tagging, Post-Tagging
  408. DESC: In all previous releases, the 'pre_tag_map' and 'post_tag' directives were
  409. causing the captured traffic to be automatically tagged while forwarded to
  410. each active plugin; this behaviour can result in reduced flexibility; the
  411. 0.8.3 release makes the two forementioned directives just to evaluate the
  412. tag to be assigned to captured traffic; a new 'aggregate' directive keyword
  413. - tag - causes the traffic to be marked (basing on the previous evaluation).
  414. So, a configuration like the following:
  415. ...
  416. pre_tag_map: /usr/local/pmacct/
  417. aggregate[dummy]: src_host,dst_host,src_port,dst_port
  418. ...
  419. Have to be rewritten the following way in order for the plugin 'dummy' to
  420. receive the tags:
  421. ...
  422. pre_tag_map: /usr/local/pmacct/
  423. aggregate[dummy]: tag,src_host,dst_host,src_port,dst_port
  424. ...
  425. [EOF]