Many thanks for the informations Paolo, this works perfectly well out of the box with your command lines. I was conviced the output of each program was the same. Your explanation is very good. It correctly logs TCP, UDP, and ICMP exactly as we want. We now have to log into a flat file, do the glue with the remote logging, etc.
What are "time binning" and "active timeout"? I understand "time binning" as a way to regularly log a long connection. For example a TCP download which take 10 minutes, if the time-bin is 1 minute then we have this connection reported every 1 minute. Am I right? ----- Mail original ----- De: "Paolo Lucente" <pa...@pmacct.net> À: pmacct-discussion@pmacct.net Envoyé: Jeudi 13 Octobre 2016 19:17:49 Objet: Re: [pmacct-discussion] Logging per connection Hi Frederic, What i would recommend is: use pmacctd with the nfprobe plugin to build flows out of packets; the flow engine is present in pmacct but is not hooked up to other plugins, ie. the print one that you are using. Then, you can recollect the output of the nfprobe plugin with nfacctd - there you can use the print plugin to save to disk. I guess you can do a quick proof-of-concept of all of this on the same single box you are using now: * pmacctd -i <interface> -P nfprobe * nfacctd -P print -c src_host,dst_host,src_port,dst_port,proto,tos,timestamp_start,timestamp_end Wait a bit so that pmacctd exports data and nfacctd prints it out. Or, even more debug mode :), you can press CTRL+C in pmacctd tab first, and after few secs, in nfacctd tab. In this second tab you should see some data output. The flow engine will populate timestamp_start/timestamp_end primitives that, in turn, will trigger the de-aggregation you need. You may take it from there if satisfied and complicate things further as needed (adjust active/passive timeouts for the flow engine, save to files, enable time-binning, etc).
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists