Hi Frederic,

Great to know it works. For time-binning i refer, for example, to the
print_history feature, essentially organize flows into time intervals.
(you can read more in CONFIG-KEYS, look for print_history). Active
timeout is intended for all protocols that do not have states (ie. UDP,
ICMP) and for long-lived TCP sessions: it is essentially a condition to
export a flow even if you keep see traffic (hence the active name, and
as opposed to passive timeout): ie. export counters for a SSH session
after 5 mins (active timeout) even though the session is still up, and
maybe with keepalives configured.


On Tue, Oct 18, 2016 at 11:42:22AM +0200, frederic.bil...@laposte.net wrote:
> Many thanks for the informations Paolo, this works perfectly well out of the 
> box with your command lines. I was conviced the output of each program was 
> the same. Your explanation is very good. 
> It correctly logs TCP, UDP, and ICMP exactly as we want. 
> We now have to log into a flat file, do the glue with the remote logging, 
> etc. 
> What are "time binning" and "active timeout"? 
> I understand "time binning" as a way to regularly log a long connection. 
> For example a TCP download which take 10 minutes, if the time-bin is 1 minute 
> then we have this connection reported every 1 minute. 
> Am I right? 
> ----- Mail original -----
> De: "Paolo Lucente" <pa...@pmacct.net> 
> À: pmacct-discussion@pmacct.net 
> Envoyé: Jeudi 13 Octobre 2016 19:17:49 
> Objet: Re: [pmacct-discussion] Logging per connection 
> Hi Frederic, 
> What i would recommend is: use pmacctd with the nfprobe plugin to build 
> flows out of packets; the flow engine is present in pmacct but is not 
> hooked up to other plugins, ie. the print one that you are using. Then, 
> you can recollect the output of the nfprobe plugin with nfacctd - there 
> you can use the print plugin to save to disk. 
> I guess you can do a quick proof-of-concept of all of this on the same 
> single box you are using now: 
> * pmacctd -i <interface> -P nfprobe 
> * nfacctd -P print -c 
> src_host,dst_host,src_port,dst_port,proto,tos,timestamp_start,timestamp_end 
> Wait a bit so that pmacctd exports data and nfacctd prints it out. Or, 
> even more debug mode :), you can press CTRL+C in pmacctd tab first, and 
> after few secs, in nfacctd tab. In this second tab you should see some 
> data output. The flow engine will populate timestamp_start/timestamp_end 
> primitives that, in turn, will trigger the de-aggregation you need. 
> You may take it from there if satisfied and complicate things further as 
> needed (adjust active/passive timeouts for the flow engine, save to files, 
> enable time-binning, etc). 

pmacct-discussion mailing list

Reply via email to