Hello Peter, i wish just to reply about the exact time while i will be happy to hear from anyone has to share thoughts about the law enforcement (and the related topic of the footprint's precision).
I think the concept of exact time is applicable to a packet-by-packet log. This isn't our case because the 'src_ip,src_port,dst_ip,dst_port,ip_proto' represents an unidirectional flow: a set of packets having a common value for some primitives and exploiting a certain temporal locality. Talking about flows, we can individuate a 'start time' and an 'end time': the time we see the first/last packet of the flow. Enabling historical accounting makes pmacct to give value to the 'stamp_updated' field (other than 'stamp_inserted' which is the base for the timeframe); the time recorded in such field can be considered *approximatively* the time of the last packet of the flow. We have an upper bound for such approximation and it depends on the 'sql_refresh_time' value (basing on your configuration, you can have a maximum appoximation of 60 secs). Cheers, Paolo PS: i'm happy for your words about pmacct-fe; i hope to give good news on the pmacct-fe & MySQL side before the end of the summer.
