Hi Paolo,

I was thinking if there is a way to capture the nflog-prefix with uacct. I was 
not able to find any relevant uacct key.

Probing conntrack and filtering the events is indeed interesting. I will try to 
see if the probing can be done in a way to save the long lasting sessions in 
small incremental steps.


On September 19, 2016 1:55:55 PM EEST, Paolo Lucente <pa...@pmacct.net> wrote:
>
>Hi Alex,
>
>Inline:
>
>On Wed, Sep 14, 2016 at 12:55:00PM +0300, Abi Askushi wrote:
>
>> > > 1. Is there a pmacct plugin to get traffic flows from connection
>tracking
>> > > system, like ulogd2 with NFCT plugin?
>> >
>> > Not being familiar with this, can you elaborate what it does? An
>example
>> > would be much appreciated.
>> >
>> 
>> This is done using ulogd2 running with NFCT plugin. Then ulogd probes
>> events from connection tracking system (events can be filtered:
>destroy,
>> new, etc) and can print or store the flows in DB. The flows that can
>be
>> fetched are like the output of command "conntrack -L". The pro of
>this
>> approach is that you get the real source and destination when have to
>deal
>> with NATed traffic.
>> A very nice example is at
>>
>https://home.regit.org/2014/02/logging-connection-tracking-event-with-ulogd/.
>> The negative side of this approach is how to handle long lasting
>sessions
>> that are not fetched (at least I didn't figure out how to do that) in
>case
>> the device is rebooted, resulting in lost accounting traffic.
>
>I see, tt may be something potentially interesting. Do you think
>this is something you can contribute upon?
>
>> > > 2. NFLOG + uacctd: is there any way to aggregate/filter collected
>packets
>> > > with uacctd as received from NFLOG, according to the fwmark value
>set
>> > with
>> > > MARK at iptables ? If no, is there any recommended alternate
>approach?
>> >
>> > No, as i suspect this MARK action does not really mark/stamp the
>packet
>> > itself but mangles with an external header. But knowing more
>precisely
>> > what this MARK does, we can certainly make it an item we can tag
>upon,
>> > or more. Again, i'm not a master of ULOG/NFLOG and hence i'd need
>(your)
>> > support.
>> >
>> As you said, the MARK is an association that is done from netfilter
>and it
>> does not affect packet header.
>> This means that I'm left with the option to alter packet header to be
>able
>> to tag it.
>> Can you recommend which packet header to alter to be able to tag?
>
>I'd say the IP ToS field may be the most intuitive/easy one.
>Unfortunately
>it is rather intrusive, ie. you may be interested in the original ToS
>value. 
>
>Cheers,
>Paolo

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to