Hi JF, As Karl said, libpcap looks what's on the wire and pmacct doesn't get further up in the packet layering. You can always do a quick check by verifying what tcpdump sees.
While on NAT & Linux, and perhaps not related to this specific issue: the "uacctd" daemon has been introduced in pmacct as of 0.12.0rc3: it relies on the ULOG framework for packet capturing and should give increased flexibility (prerouting, postrouting, etc.) in scenarios where one does accounting on the same Linux box which is also doing the NAT. Cheers, Paolo On Thu, Nov 12, 2009 at 12:24:34AM -0500, JF Cliche wrote: > Maybe a newbie question, so I'll be brief: > > I am behind two NAT routers (Linksys running DD-WRT) with port > forwarding up to the machine running pmacct, and yet pmacct reports > SSH traffic to the forwarded port with the public (external, > non-NATed) addresses. I thought all traffic should be seen as coming > from the second router private address. Is pmacct (or underlying pcab > library) getting the public address from extra data encapsulated in > the TCP packets by the routers or in the SSH protocol? I've seen the > opposite problem being discussed in this forum, but not this... > > JF > > > -- > ------------------------------------------------ > Jean-Fran?ois Cliche, Ph.D., P. Eng _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
