I just discover pmacct. 
I read the documentation and examples, but wasn't able to obtain the result I 
want. I also looked at this mailing list for the current year. 

I want to log each TCP and UDP connections: 
src_host,dst_host,src_port,dst_port,proto,timestamp_start,timestamp_end (or 
I just don't want to log each packet, because of the huge storage involved. 

For example a SSH connection will only produce one log line, indicating from 
where (src ip:port) to where (dst ip:port) how (proto) and when (start:end or 
start:duration). Total bytes and/or packets are nice too. 
Ideally other protocols should be treated in the same way, but this is not an 

I tested with: 
pmacctd -P print -O csv -r 60 -i eth0 -c 

But this don't do want I need: each packet has its own line because I use 
timestamps. So I removed the timestamps but for example if two TCP connections 
with same src_ip:port dst_ip:port are made one after one, they are all added 
and displayed on the same line (okay, I can do with this). And of course I 
don't have the start timestamp nor the duration, which is mandatory. 

The log will be written to a flat file. 
I can manage without problem to have "60 seconds blocks" (this is an arbitrary 
duration): if a connection cross the boundary of a 60 second block, I have no 
problem to (partially) see this connection once on each block. 

Is it doable with pmacct? 
If yes, how? 

I hope my question is clear enought. 
Feel free to ask for clarifications. 

pmacct-discussion mailing list

Reply via email to