Hi Nitzan, I'm sure you already know pmacct doesn't support logging to raw files (FAQS document, Q5). As you can read, by choice.
I believe pmacct can anyway offer something similar to what you have in mind: via configuration you have full control over spatial aggregation (so you just select primitives as much as you need), whereas the the nfacctd_sql_log feature disables the temporal aggregation while mapping flow start time and end time to stamp_inserted and stamp_updated fields respectively. By doing so, you can log micro-flows to the database. Remaining bits are: rotating SQL tables over time, say, a different table every amount of minutes or hours; this can be done by a script or by pmacct via the dynamic SQL tables feature (sql_table, sql_table_schema). You can decide to not use any indexing, ie. ARCHIVE (binary, compressed) or CSV (textual) storage engines in MySQL. The query language stays SQL (for CSVs you can optionally bypass it): no need to re-invent anything. A simple script you write drops tables after some time. Some people go this road for reasons like analize traffic anomalies, security, forensics, etc. and keep rather happy with it. Should you need support to build something in this sense, feel free to give me a shout privately - will be glad to help. Cheers, Paolo On Thu, Jul 08, 2010 at 12:42:44AM +0300, Nitzan Tzelniker wrote: > Hi > > How can I save raw flows in pmacct to a file like flow-capture do in > flow-tools and how to send them back to the analyzer later (like flow-cat > ). > > Today I have to send it to nfcapd to save it to a file but I want to use > only pmacct. > > The reason for this feature is if you have something that you ant to drill > down into and it is not in your regular aggregates you want to build custom > filters and aggregate for these flows only. > > Thanks > > Nitzan > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
