Great to know it works. For time-binning i refer, for example, to the
print_history feature, essentially organize flows into time intervals.
(you can read more in CONFIG-KEYS, look for print_history). Active
timeout is intended for all protocols that do not have states (ie. UDP,
ICMP) and for long-lived TCP sessions: it is essentially a condition to
export a flow even if you keep see traffic (hence the active name, and
as opposed to passive timeout): ie. export counters for a SSH session
after 5 mins (active timeout) even though the session is still up, and
maybe with keepalives configured.
On Tue, Oct 18, 2016 at 11:42:22AM +0200, frederic.bil...@laposte.net wrote:
> Many thanks for the informations Paolo, this works perfectly well out of the
> box with your command lines. I was conviced the output of each program was
> the same. Your explanation is very good.
> It correctly logs TCP, UDP, and ICMP exactly as we want.
> We now have to log into a flat file, do the glue with the remote logging,
> What are "time binning" and "active timeout"?
> I understand "time binning" as a way to regularly log a long connection.
> For example a TCP download which take 10 minutes, if the time-bin is 1 minute
> then we have this connection reported every 1 minute.
> Am I right?
> ----- Mail original -----
> De: "Paolo Lucente" <pa...@pmacct.net>
> À: firstname.lastname@example.org
> Envoyé: Jeudi 13 Octobre 2016 19:17:49
> Objet: Re: [pmacct-discussion] Logging per connection
> Hi Frederic,
> What i would recommend is: use pmacctd with the nfprobe plugin to build
> flows out of packets; the flow engine is present in pmacct but is not
> hooked up to other plugins, ie. the print one that you are using. Then,
> you can recollect the output of the nfprobe plugin with nfacctd - there
> you can use the print plugin to save to disk.
> I guess you can do a quick proof-of-concept of all of this on the same
> single box you are using now:
> * pmacctd -i <interface> -P nfprobe
> * nfacctd -P print -c
> Wait a bit so that pmacctd exports data and nfacctd prints it out. Or,
> even more debug mode :), you can press CTRL+C in pmacctd tab first, and
> after few secs, in nfacctd tab. In this second tab you should see some
> data output. The flow engine will populate timestamp_start/timestamp_end
> primitives that, in turn, will trigger the de-aggregation you need.
> You may take it from there if satisfied and complicate things further as
> needed (adjust active/passive timeouts for the flow engine, save to files,
> enable time-binning, etc).
pmacct-discussion mailing list