Hi Frederic, Great to know it works. For time-binning i refer, for example, to the print_history feature, essentially organize flows into time intervals. (you can read more in CONFIG-KEYS, look for print_history). Active timeout is intended for all protocols that do not have states (ie. UDP, ICMP) and for long-lived TCP sessions: it is essentially a condition to export a flow even if you keep see traffic (hence the active name, and as opposed to passive timeout): ie. export counters for a SSH session after 5 mins (active timeout) even though the session is still up, and maybe with keepalives configured.
Cheers, Paolo On Tue, Oct 18, 2016 at 11:42:22AM +0200, frederic.bil...@laposte.net wrote: > > Many thanks for the informations Paolo, this works perfectly well out of the > box with your command lines. I was conviced the output of each program was > the same. Your explanation is very good. > It correctly logs TCP, UDP, and ICMP exactly as we want. > We now have to log into a flat file, do the glue with the remote logging, > etc. > > What are "time binning" and "active timeout"? > > I understand "time binning" as a way to regularly log a long connection. > For example a TCP download which take 10 minutes, if the time-bin is 1 minute > then we have this connection reported every 1 minute. > Am I right? > > > > ----- Mail original ----- > > De: "Paolo Lucente" <pa...@pmacct.net> > À: pmacct-discussion@pmacct.net > Envoyé: Jeudi 13 Octobre 2016 19:17:49 > Objet: Re: [pmacct-discussion] Logging per connection > > > Hi Frederic, > > What i would recommend is: use pmacctd with the nfprobe plugin to build > flows out of packets; the flow engine is present in pmacct but is not > hooked up to other plugins, ie. the print one that you are using. Then, > you can recollect the output of the nfprobe plugin with nfacctd - there > you can use the print plugin to save to disk. > > I guess you can do a quick proof-of-concept of all of this on the same > single box you are using now: > > * pmacctd -i <interface> -P nfprobe > * nfacctd -P print -c > src_host,dst_host,src_port,dst_port,proto,tos,timestamp_start,timestamp_end > > Wait a bit so that pmacctd exports data and nfacctd prints it out. Or, > even more debug mode :), you can press CTRL+C in pmacctd tab first, and > after few secs, in nfacctd tab. In this second tab you should see some > data output. The flow engine will populate timestamp_start/timestamp_end > primitives that, in turn, will trigger the de-aggregation you need. > > You may take it from there if satisfied and complicate things further as > needed (adjust active/passive timeouts for the flow engine, save to files, > enable time-binning, etc). _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
