Hi Jakub, Thank you very much for your detailed reply (it was very helpful).
> Note that libpcap is "local", you see via that library only > local traversing traffic ( some times promiscous traffic too > ;) ). To export accounting info to some other machine - some > other software is being used than pmacct ( for > example: NetFlow probes, they just sit there, watch traffic > utilising libcpap and send NetFlow packets to so called > collectors ). Pmacct has nfacctd - a daemon which is netflow > collector. So if you are planning setting up those firewalls, > you should take into account software like fprobe (nice > netflow probe). Those two firewalls would be "probes" and one > nfacctd machine would be "collector" in NetFlow terminology. Thank you very much for clarifying this for me. > If you are planning setting up those firewalls only for > accounting purposes I would recomend you to somehow change > concept. I were you i would configure port mirroring on edge > L2 switches ( depends on current net architecture, you can > also utilize RSPAN if you have uplinks on diffrent switches, > NetFlow-enabled-edge-routers, etc ) and connect that mirrored > port to new accounting server. That way, you are going to > have one point of failure less ( mainly those linux firewalls ). We are planning to set up firewalls no matter what, but the most important thing for now is ip accounting, and for those needs your suggestion of port mirroring sounds much better than my initial thoughts (it will make it easier to get started, make the ip accounting independent of the firewalls and keep the two systems separated). Will the server receiving the mirrored traffic need to be configured in any special way for it to receive the packages, even though they don't match its mac/ip? > You acctually can configure pmacctd/nfacctd/etc to behave like this: > 1) observe traffic for 5 minutes > 2) insert statistics into SQL backend for observed period > (using some dynamic SQL creation of table) > 3) goto 1 > > So now you will have for example tables named like those: > acct_in_10_06_2006 > acct_in_09_06_2006 > and so on, with numbersofIPs*24*60/5 = 147456 entries in each table. > > Then it is possible to make for example monthly cron-script > which will summarize & delete records for previous month, and > which will produce some nice graph, charge users, send email, > whatever. > > When it comes to SQL backend performance pmacctd/nfacctd is > only executing inserts for approx. number_of_IPs*2(for input > and output) every 5min into database, no updates - all is > accounted in memory. Peace of cake ( 1024 req/ 5min ). > Moreover it can be tunned further. This sounds very interesting, I'll try looking in to the documentation for further details on our options. -- Best regards, Sune _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
