Note: forwarded message attached.
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
--- Begin Message --- Paolo,
Great feedback, thanks. Just for clarification, in the short term, I'm not looking to do any type of application discovery. I would like to filter the inbound and outbound sessions over tcp and udp ports so it can determine any ports that are not used. At the same time, we can get a feel for the aggregate flow of ports that have high usage. For example, I would have a graph based on inbound connections to a certain range of ports and pertaining to a specific network range (or all ports if feasible), a graph based on outbound connections to that same range of ports and pertaining to a specific network range. Just to give you an idea of the network layout, I work for a large enterprise in which the company is essentially an ISP for a three other institutions. We have three major network ranges, and the other institutions have a designated network range for each. So it seems like I have to do the following:
1. Construct a memory table for Cacti (which I thought that was the purpose of the mysql db install).
2. Create the correct queries for pmacct. From what I understand I need to filter on src|dst ports.
3. Create the correct queries in Cacti. From what I understand, I need to create pmacct queries and input them into cacti. Is this where I can designate network range and port range?
I guess my immediate questions pertain to the following:
1. How do you not copy the data twice in rrd files in cacti and pmacct?
2. What is the conceptual model for the data process flow?
3. How is historical data retained for later viewing?
Yikes..this may seem a lot. I'm the juggernaut!
Again, any help would be greatly appreciated.
-B
Paolo Lucente <[EMAIL PROTECTED]> wrote:Hi Ben,
so, "port" refers to TCP/UDP port. Ok. About the tutorial per-se, graphing
port data rather than network data requires a) intercepting occurrences of
src|dst_net in the document and b) replacing them with src|dst_port.
Now, if you need just a per-port breakdown it's feaasible: generating 65k
graphs should be not that problem. If you need per-port, per-host/network
breakdown, then you hit a barrier.
However, my (personal) opinion is that considering ports either singularly
or in chunks gives poor feedback. For example, if the goal of the solution
is to know about top-used services, going this way you will be able to hit
smtp, pop3, imap, web and dns and few others at the best. The pro is that,
for example, you get quick hints for writing filter rules in order to stop
the unknown talker; the cost of is getting loads of null graphs.
An intermediate solution could be classificators: you get no reference to
ports but to top-used services. This returns you an effective and scalable
solution (tailored to pmacctd); there are some cons: a) the solution maybe
need to be engineered carefully in order to be applicable to very large
networks (which i don't know if it's your case); b) classifiers are not
precise at 100% in the sense that a portion of traffic remains "unknown";
c) to get the real TCP/UDP port involved in a talk you need an auxiliar
"lookup" backend, ie. nothing dramatic: a memory table to generate the
loved graphs, and a pair of SQL tables to keep 2-days history of traffic
details.
Just a concluding note about MySQL, Cacti and pmacct. Cacti and pmacct
both are able to use MySQL but each for they very own purposes. The way
they have to communicate is still a commandline tool executed by Cacti.
Then, because Cacti stores historical data in RRD files, the optimized
way is not to make pmacct to store the same data on the disk twice (ie.
SQL). However if this is required, it's pretty easy to integrate with
Cacti: mind that to get counters, Cacti just requires a tool writing
commandline the result (ie. the counter); and this is pretty easy to
achieve with mysql, psql, sqlite commandline clients.
Sorry for the rather long reply. Hoping it helps.
Cheers,
Paolo
_______________________________________________
pmacct-discussion mailing list
[email protected]
http://muffin.area.ba.cnr.it/mailman/listinfo/pmacct-discussion
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.
--- End Message ---
