Hi Stathis, You do not outline what is the capturing method you intend to use, ie. libpcap, NetFlow/IPFIX, sFlow, etc. If using NetFlow/ IPFIX you are sorted already, as you just add timestamp_start and timestamp_end to your aggregation method to the quintuple.
If using libpcap, well, a NetFlow probe helps precisely with creating flows out of sniffed packets. pmacct has a 'nfprobe' plugin for this. So the solution would be: pmacctd sniffs on an interface and is configured with a 'nfprobe' plugin that exports flows to a nfacctd daemon (co-located on the same box or on a different box) which, in turn, is configured to save data to the preferred backend and aggregate on the quintuple plus timestamp_start, timestamp_end. If using sFlow you might have an issue capturing the flags, depending on how heavily you sample. Let me know if you are in this case. Cheers, Paolo On Mon, Feb 03, 2014 at 11:28:55PM +0200, Stathis Gkotsis wrote: > Hi, > Let's say we configure pmacct to aggregate on: src ip, src port, dst ip, dst > port, proto. That means that it will produce flow records aggregating on the > TCP quintuple. > Would it be possible to get the start timestamp (time of TCP SYN) of a TCP > connection? Similarly, would it be possible to get the duration of a > connection (possibly the timestamp of FIN)? Is any of these things possible > through pmacct? > Thank you. > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
