[pmacct-discussion] Logging and timing question

Mon, 10 Oct 2005 11:26:56 +0200 

Hy,
first of all, many compliments for this great piece of code.
I'm started using pmacct to profile traffic on a lan of about 60 hosts connected to an 2Mb HDSL line. I'm running Debian 3.1, so I'm using pmacct v 0.7.4. I don't need all the $things_for_the_big_boys pmacct provides, so I'm happy with this old version( lazy tor recompile ;) ). 

I have a question about how 'connections' are logged in the 'time'.


First, here is how I wish to use pmacct for: log all traffic to find out 
how my TOTAL traffic is composed (per port and per direction), and make 
queries to obtains totals in various times interval (hours, days, months)



I use the mysql plugin, and as stated in thread [stamp_inserted and 
sql_history] I found out that I need to put the parameter

sql_history:
in the config file and, wow, timestamps appeared.

This was the story, now the questions.


I've not clear how timestamps are managed. Supposing I have had an smtp 
transaction logged like this:


+------------------+------------------+-----------------+-----------------+----------+----------+----------+---------+--------+---------------------+---------------------+

| mac_src          | mac_dst          | ip_src          | 
ip_dst          | src_port | dst_port | ip_proto | packets | bytes  | 
stamp_inserted      | stamp_updated       |

+------------------+------------------+-----------------+-----------------+----------+----------+----------+---------+--------+---------------------+---------------------+


| 0:90:d0:22:98:17 | 0:4:76:a0:6a:45  | 193.70.192.92   | 
192.168.254.100 |    54559 |       25 | ip       |      14 |   2168 | 
2005-10-10 10:34:00 | 2005-10-10 11:04:05 |
| 0:4:76:a0:6a:45  | 0:90:d0:22:98:17 | 192.168.254.100 | 
193.70.192.92   |       25 |    54559 | ip       |      14 |   1031 | 
2005-10-10 10:34:00 | 2005-10-10 11:04:05 |




1 - I have tried sql_history=365d. Does this mean that if a similar 
transaction occurs again in 365days, it will not be a new record, but 
pmacct will update the above two records ?



2 - Does pmacct have the possibility to log totals for _every_ tcp 
transaction, I mean SYN, SYN/ACK, data...., END ? (Ok, if you prefer i 
reformulate the question: how does pmacct logs totals for two ports pair ?)




2 - I've seen in the docs that, if I wish to differentiate inbound and 
outbound traffic, I have to log to different database tables using:


  aggregate[inbound]: dst_host
  aggregate[outbound]: src_host
  plugins: mysql[inbound], mysql[outbound]
  sql_table[inbound]: acct_in
  sql_table[outbound]: acct_out

Is this the only way ? No in/out column ?

I Hope to be not much confusing....

--
Gabriele Vivinetto























					Reply via email to