Greetings Paolo,
Currently, pmacctd reports traffic going each direction as follows when
aggregating on src_host, dst_host, src_port, dst_port, and protocol:
SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS
BYTES
10.0.22.19 10.0.22.163 55932 18051 tcp 2
1445
10.0.22.163 10.0.22.19 18051 55932 tcp 1
1371
10.0.22.19 10.0.22.163 55933 18051 tcp 4
6904
10.0.22.163 10.0.22.19 18051 55933 tcp 1
290
We can see that 10.0.22.19 is a client that's opening random ports in order to
communicate to the same service port (18051) on 10.0.22.163. The service on
18051 responds in return resulting in traffic going the opposite direction. My
DESIRED RESULT would be the summation of all traffic involving a detected
common destination port (in this case 18051):
SRC_IP DST_IP DST_PORT PROTOCOL PACKETS
BYTES
10.0.22.19 10.0.22.163 18051 tcp 8
10010
If I omit src_port then aggregate only on src_host, dst_host, dst_port, and
protocol, I get the following output that has two extra rows that I would like
to be summed into the first row:
SRC_IP DST_IP DST_PORT PROTOCOL PACKETS
BYTES
10.0.22.19 10.0.22.163 18051 tcp 6
8349
10.0.22.163 10.0.22.19 55932 tcp 1
1371
10.0.22.163 10.0.22.19 55933 tcp 1
290
Is there a way for pmacctd to track the traffic and group the flows to produce
an aggregate like my desired result? Can anyone suggest how this can be
accomplished WITHIN pmacctd using any combination of config keys/directives
like aggregate, pcap_filter, aggregate_filters, etc...?
Grazie!
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
