Hi Nicolas, On Tue, Aug 22, 2006 at 10:01:44AM +0700, Nicolas Fournaux wrote:
> aggregate: src_mac,dst_mac,src_host,dst_host,src_port,dst_port If you use such aggregation, you have to expect many tuples in your database for the same src_host, dst_host. To get started and keep your database small, get a look to point Q5 of FAQS document; depending on what you want to do, that fragment could be useful as a starting point: ... aggregate[inbound]: dst_host aggregate[outbound]: src_host aggregate_filter[inbound]: dst net <local networks> aggregate_filter[outbound]: src net <local networks> plugins: mysql[inbound], mysql[outbound] sql_table[inbound]: acct_in sql_table[outbound]: acct_out sql_refresh_time: 60 sql_history: 1h promisc: false pcap_filter: host not 192.168.1.1 and host not 10.0.0.1 and ether dst not ff:ff:ff:ff:ff:ff ... The above will use two different tables, acct_in and acct_out to account for your inbound and outbound traffic, per host, per hour. You need to create such tables on your own. BTW, sql_refresh_time need to be somewhat larger than the value in your configuration (2). 30-60-90 secs are all acceptable values. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
