Hi Mariano, maybe irrelevant for your scenario but pmacct version 0.11.5 is able to make the most profit by the fields of the DLT_LINUX_SLL header - which is prepended to the L3 header when using the "any" interface. This is an extract from the ChangeLog:
+ pmacctd, the Linux Cooked device (DLT_LINUX_SLL) handler has been enhanced by supporting 'src_mac' and 'vlan' aggregation primitives. Cheers, Paolo On Fri, Jan 23, 2009 at 01:36:40PM +0100, Mariano Spadaccini wrote: > Chris Wilson wrote: > > > Have you tried using "any" as the interface name to capture all flows? > > Yes, but... > ------------------------------------------------------------------- > r...@mixer# pmacctd -i any -c > src_mac,dst_mac,src_host,dst_host,src_port,dst_port > WARN ( cmdline ): No plugin has been activated; defaulting to in-memory > table. > OK ( default/memory ): waiting for data on: '/tmp/collect.pipe' > OK ( default/core ): link type is: 113 > ERROR ( default/core ): MAC aggregation not available for link type: 113 > ------------------------------------------------------------------- > > src_mac and dst_mac are important data in my log. > > However this machine is nat-firewall (loc <-> fw <-> net) > My interest is only for traffic through interfaces loc <-> fw, > before nat process. > > Cheers, > Mariano _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
