Hi I've got a couple of ideas I wanted to put forward for pmacct
Recording only top percentage of hosts I've been a victim of some denial of service attacks and I'd like to use pmacctd to record where they are coming from. It is fairly obvious that src_host summarisation to SQL is going to end up putting a heavy burden on the database, in terms of IO and storage. Would it be possible for pmacctd to only insert the highest traffic generating hosts to sql? Eg, discard all but the top 5% of hosts every 5 minutes. SQL Summarisation... You know how cacti/mrtg sets up graphs for day, week, month year... I've created some perl scripts which take a 5 minute updated sql table, 24 hours worth of history, it then summarises this into a 30 minutes weekly table and a 2 hour monthly table. It's not working very well and the data ends up screwing up all over the place. I guess I could run multiple pmacctd with different update periods, but that would end up using lots of ram I expect Anyone else got any ideas on how to achieve this? Some other quick questions... Does pmacctd only record tcp/udp or also other ip protocols, icmp etc? Is there a way to find out which protocol certain traffic was? Thanks Michael Ralston Stral.net
