Hi Paolo,

I was thinking if there is a way to capture the nflog-prefix with uacct. I was 
not able to find any relevant uacct key.

Probing conntrack and filtering the events is indeed interesting. I will try to 
see if the probing can be done in a way to save the long lasting sessions in 
small incremental steps.

On September 19, 2016 1:55:55 PM EEST, Paolo Lucente <pa...@pmacct.net> wrote:
>Hi Alex,
>On Wed, Sep 14, 2016 at 12:55:00PM +0300, Abi Askushi wrote:
>> > > 1. Is there a pmacct plugin to get traffic flows from connection
>> > > system, like ulogd2 with NFCT plugin?
>> >
>> > Not being familiar with this, can you elaborate what it does? An
>> > would be much appreciated.
>> >
>> This is done using ulogd2 running with NFCT plugin. Then ulogd probes
>> events from connection tracking system (events can be filtered:
>> new, etc) and can print or store the flows in DB. The flows that can
>> fetched are like the output of command "conntrack -L". The pro of
>> approach is that you get the real source and destination when have to
>> with NATed traffic.
>> A very nice example is at
>> The negative side of this approach is how to handle long lasting
>> that are not fetched (at least I didn't figure out how to do that) in
>> the device is rebooted, resulting in lost accounting traffic.
>I see, tt may be something potentially interesting. Do you think
>this is something you can contribute upon?
>> > > 2. NFLOG + uacctd: is there any way to aggregate/filter collected
>> > > with uacctd as received from NFLOG, according to the fwmark value
>> > with
>> > > MARK at iptables ? If no, is there any recommended alternate
>> >
>> > No, as i suspect this MARK action does not really mark/stamp the
>> > itself but mangles with an external header. But knowing more
>> > what this MARK does, we can certainly make it an item we can tag
>> > or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need
>> > support.
>> >
>> As you said, the MARK is an association that is done from netfilter
>and it
>> does not affect packet header.
>> This means that I'm left with the option to alter packet header to be
>> to tag it.
>> Can you recommend which packet header to alter to be able to tag?
>I'd say the IP ToS field may be the most intuitive/easy one.
>it is rather intrusive, ie. you may be interested in the original ToS

Sent from my Android device with K-9 Mail. Please excuse my brevity.
pmacct-discussion mailing list

Reply via email to