Hi Dennis,
On Tue, Aug 30, 2011 at 06:06:28PM +0200, Dennis Koster wrote:
> Accounting all the traffic (IPv4/6) with history.
> Traffic inside our network has full ip_dst and ip_src.
> Traffic outside our netwerk has a ip_dst or ip_src with 0.0.0.0/::
>
> I want traffic per IP per month.
OK. Traffic per IP per month you achieve it better with two plugins
so to build tables proportional to your IP address space ('out' will
count the active IP addresses in your network; 'in' will be way more
rich due to scan activities):
sfacctd.conf:
..
plugins: mysql[out], mysql[in]
aggregate[out]: src_host
aggregate[in]: dst_host
aggregate_filter[out]: src net <own IP chunk A> .. or src net <own IP chunk Z>
aggregate_filter[in]: dst net <own IP chunk A> .. or dst net <own IP chunk Z>
..
Perhaps you also want to distinguish between internal and external
traffic? You can then do a bit of pre-tagging for that, so a tag of
1 means traffic is internal whereas a tag of 0 means it's external,
ie.:
sfacctd.conf:
..
plugins: mysql[out], mysql[in]
aggregate[out]: tag, src_host
aggregate[in]: tag, dst_host
aggregate_filter[out]: src net <own IP chunk A> .. or src net <own IP chunk Z>
aggregate_filter[in]: dst net <own IP chunk A> .. or dst net <own IP chunk Z>
pre_tag_map: /path/to/pretag.map
..
pretag.map:
id=1 filter=( src net <own IP chunk A> .. or src net <own IP chunk Z> ) and (
dst net <own IP chunk A> .. or dst net
<own IP chunk Z> )
Please review configurations yourself, the chunks above can contain
lexical/escaping/etc. mistakes and are for your reference only. This
is slightly more complex than your current configuration but strips
the aggregation method of one (with tags) or even two (without tags)
primitives - which i'm rather sure will be beneficial to the overall
performances.
Cheers,
Paolo
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
