Hi Alex,


On Wed, Sep 14, 2016 at 12:55:00PM +0300, Abi Askushi wrote:

> > > 1. Is there a pmacct plugin to get traffic flows from connection tracking
> > > system, like ulogd2 with NFCT plugin?
> >
> > Not being familiar with this, can you elaborate what it does? An example
> > would be much appreciated.
> >
> This is done using ulogd2 running with NFCT plugin. Then ulogd probes
> events from connection tracking system (events can be filtered: destroy,
> new, etc) and can print or store the flows in DB. The flows that can be
> fetched are like the output of command "conntrack -L". The pro of this
> approach is that you get the real source and destination when have to deal
> with NATed traffic.
> A very nice example is at
> https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/.
> The negative side of this approach is how to handle long lasting sessions
> that are not fetched (at least I didn't figure out how to do that) in case
> the device is rebooted, resulting in lost accounting traffic.

I see, tt may be something potentially interesting. Do you think
this is something you can contribute upon?

> > > 2. NFLOG + uacctd: is there any way to aggregate/filter collected packets
> > > with uacctd as received from NFLOG, according to the fwmark value set
> > with
> > > MARK at iptables ? If no, is there any recommended alternate approach?
> >
> > No, as i suspect this MARK action does not really mark/stamp the packet
> > itself but mangles with an external header. But knowing more precisely
> > what this MARK does, we can certainly make it an item we can tag upon,
> > or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need (your)
> > support.
> >
> As you said, the MARK is an association that is done from netfilter and it
> does not affect packet header.
> This means that I'm left with the option to alter packet header to be able
> to tag it.
> Can you recommend which packet header to alter to be able to tag?

I'd say the IP ToS field may be the most intuitive/easy one. Unfortunately
it is rather intrusive, ie. you may be interested in the original ToS value. 


pmacct-discussion mailing list

Reply via email to