Re: [pmacct-discussion] Logging per connection

2016-10-18 Thread frederic . billis 

Many thanks for the informations Paolo, this works perfectly well out of the 
box with your command lines. I was conviced the output of each program was the 
same. Your explanation is very good. 
It correctly logs TCP, UDP, and ICMP exactly as we want. 
We now have to log into a flat file, do the glue with the remote logging, etc. 

What are "time binning" and "active timeout"? 

I understand "time binning" as a way to regularly log a long connection. 
For example a TCP download which take 10 minutes, if the time-bin is 1 minute 
then we have this connection reported every 1 minute. 
Am I right? 



- Mail original -

De: "Paolo Lucente" <pa...@pmacct.net> 
À: pmacct-discussion@pmacct.net 
Envoyé: Jeudi 13 Octobre 2016 19:17:49 
Objet: Re: [pmacct-discussion] Logging per connection 


Hi Frederic, 

What i would recommend is: use pmacctd with the nfprobe plugin to build 
flows out of packets; the flow engine is present in pmacct but is not 
hooked up to other plugins, ie. the print one that you are using. Then, 
you can recollect the output of the nfprobe plugin with nfacctd - there 
you can use the print plugin to save to disk. 

I guess you can do a quick proof-of-concept of all of this on the same 
single box you are using now: 

* pmacctd -i  -P nfprobe 
* nfacctd -P print -c 
src_host,dst_host,src_port,dst_port,proto,tos,timestamp_start,timestamp_end 

Wait a bit so that pmacctd exports data and nfacctd prints it out. Or, 
even more debug mode :), you can press CTRL+C in pmacctd tab first, and 
after few secs, in nfacctd tab. In this second tab you should see some 
data output. The flow engine will populate timestamp_start/timestamp_end 
primitives that, in turn, will trigger the de-aggregation you need. 

You may take it from there if satisfied and complicate things further as 
needed (adjust active/passive timeouts for the flow engine, save to files, 
enable time-binning, etc). 
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Logging per connection

2016-10-13 Thread Paolo Lucente 

Hi Frederic,

What i would recommend is: use pmacctd with the nfprobe plugin to build
flows out of packets; the flow engine is present in pmacct but is not
hooked up to other plugins, ie. the print one that you are using. Then,
you can recollect the output of the nfprobe plugin with nfacctd - there
you can use the print plugin to save to disk.

I guess you can do a quick proof-of-concept of all of this on the same
single box you are using now:

* pmacctd -i  -P nfprobe 
* nfacctd -P print -c 
src_host,dst_host,src_port,dst_port,proto,tos,timestamp_start,timestamp_end

Wait a bit so that pmacctd exports data and nfacctd prints it out. Or,
even more debug mode :), you can press CTRL+C in pmacctd tab first, and
after few secs, in nfacctd tab. In this second tab you should see some
data output. The flow engine will populate timestamp_start/timestamp_end
primitives that, in turn, will trigger the de-aggregation you need. 

You may take it from there if satisfied and complicate things further as
needed (adjust active/passive timeouts for the flow engine, save to files,
enable time-binning, etc).

Cheers,
Paolo

On Wed, Oct 12, 2016 at 05:41:49PM +0200, frederic.bil...@laposte.net wrote:
> Hi, 
> 
> I just discover pmacct. 
> I read the documentation and examples, but wasn't able to obtain the result I 
> want. I also looked at this mailing list for the current year. 
> 
> I want to log each TCP and UDP connections: 
> src_host,dst_host,src_port,dst_port,proto,timestamp_start,timestamp_end (or 
> timestamp_start,duration) 
> I just don't want to log each packet, because of the huge storage involved. 
> 
> For example a SSH connection will only produce one log line, indicating from 
> where (src ip:port) to where (dst ip:port) how (proto) and when (start:end or 
> start:duration). Total bytes and/or packets are nice too. 
> Ideally other protocols should be treated in the same way, but this is not an 
> issue. 
> 
> I tested with: 
> pmacctd -P print -O csv -r 60 -i eth0 -c 
> src_host,dst_host,src_port,dst_port,proto,timestamp_start,timestamp_end 
> 
> But this don't do want I need: each packet has its own line because I use 
> timestamps. So I removed the timestamps but for example if two TCP 
> connections with same src_ip:port dst_ip:port are made one after one, they 
> are all added and displayed on the same line (okay, I can do with this). And 
> of course I don't have the start timestamp nor the duration, which is 
> mandatory. 
> 
> The log will be written to a flat file. 
> I can manage without problem to have "60 seconds blocks" (this is an 
> arbitrary duration): if a connection cross the boundary of a 60 second block, 
> I have no problem to (partially) see this connection once on each block. 
> 
> Is it doable with pmacct? 
> If yes, how? 
> 
> I hope my question is clear enought. 
> Feel free to ask for clarifications. 
> 
> 

> ___
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists