I just discover pmacct.
I read the documentation and examples, but wasn't able to obtain the result I
want. I also looked at this mailing list for the current year.
I want to log each TCP and UDP connections:
I just don't want to log each packet, because of the huge storage involved.
For example a SSH connection will only produce one log line, indicating from
where (src ip:port) to where (dst ip:port) how (proto) and when (start:end or
start:duration). Total bytes and/or packets are nice too.
Ideally other protocols should be treated in the same way, but this is not an
I tested with:
pmacctd -P print -O csv -r 60 -i eth0 -c
But this don't do want I need: each packet has its own line because I use
timestamps. So I removed the timestamps but for example if two TCP connections
with same src_ip:port dst_ip:port are made one after one, they are all added
and displayed on the same line (okay, I can do with this). And of course I
don't have the start timestamp nor the duration, which is mandatory.
The log will be written to a flat file.
I can manage without problem to have "60 seconds blocks" (this is an arbitrary
duration): if a connection cross the boundary of a 60 second block, I have no
problem to (partially) see this connection once on each block.
Is it doable with pmacct?
If yes, how?
I hope my question is clear enought.
Feel free to ask for clarifications.
pmacct-discussion mailing list