Hi, I just discover pmacct. I read the documentation and examples, but wasn't able to obtain the result I want. I also looked at this mailing list for the current year.
I want to log each TCP and UDP connections: src_host,dst_host,src_port,dst_port,proto,timestamp_start,timestamp_end (or timestamp_start,duration) I just don't want to log each packet, because of the huge storage involved. For example a SSH connection will only produce one log line, indicating from where (src ip:port) to where (dst ip:port) how (proto) and when (start:end or start:duration). Total bytes and/or packets are nice too. Ideally other protocols should be treated in the same way, but this is not an issue. I tested with: pmacctd -P print -O csv -r 60 -i eth0 -c src_host,dst_host,src_port,dst_port,proto,timestamp_start,timestamp_end But this don't do want I need: each packet has its own line because I use timestamps. So I removed the timestamps but for example if two TCP connections with same src_ip:port dst_ip:port are made one after one, they are all added and displayed on the same line (okay, I can do with this). And of course I don't have the start timestamp nor the duration, which is mandatory. The log will be written to a flat file. I can manage without problem to have "60 seconds blocks" (this is an arbitrary duration): if a connection cross the boundary of a 60 second block, I have no problem to (partially) see this connection once on each block. Is it doable with pmacct? If yes, how? I hope my question is clear enought. Feel free to ask for clarifications.
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists