Hi Hiep, sum_port may somehow come to the rescue but ymmv with it; it may very well start doing sums for all ports, ie. 18051, 55932, 55933, etc. So 18051 will contain your 8 packets but then, unless port 18051 is meaningful to you, so that you can trash all the rest (on query), it may lead to problems, ie. over-counting of traffic if you ever dare doing totals. Most probably you are looking for an ad-hoc feature for this - for which i'd be looking for some extra information, ie. how to do the grouping? by volume? by filtering? etc., that we can exchange 1:1.
Cheers, Paolo On Tue, Nov 01, 2016 at 03:00:27PM +0000, Hiep Huynh wrote: > > Greetings Paolo, > > > Currently, pmacctd reports traffic going each direction as follows when > aggregating on src_host, dst_host, src_port, dst_port, and protocol: > > SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS > BYTES > > 10.0.22.19 10.0.22.163 55932 18051 tcp 2 > 1445 > > 10.0.22.163 10.0.22.19 18051 55932 tcp 1 > 1371 > > 10.0.22.19 10.0.22.163 55933 18051 tcp 4 > 6904 > > 10.0.22.163 10.0.22.19 18051 55933 tcp 1 > 290 > > > > > We can see that 10.0.22.19 is a client that's opening random ports in order > to communicate to the same service port (18051) on 10.0.22.163. The service > on 18051 responds in return resulting in traffic going the opposite > direction. My DESIRED RESULT would be the summation of all traffic involving > a detected common destination port (in this case 18051): > > SRC_IP DST_IP DST_PORT PROTOCOL PACKETS > BYTES > > 10.0.22.19 10.0.22.163 18051 tcp 8 > 10010 > > > If I omit src_port then aggregate only on src_host, dst_host, dst_port, and > protocol, I get the following output that has two extra rows that I would > like to be summed into the first row: > > SRC_IP DST_IP DST_PORT PROTOCOL PACKETS > BYTES > > 10.0.22.19 10.0.22.163 18051 tcp 6 > 8349 > > 10.0.22.163 10.0.22.19 55932 tcp 1 > 1371 > > 10.0.22.163 10.0.22.19 55933 tcp 1 > 290 > > > Is there a way for pmacctd to track the traffic and group the flows to > produce an aggregate like my desired result? Can anyone suggest how this can > be accomplished WITHIN pmacctd using any combination of config > keys/directives like aggregate, pcap_filter, aggregate_filters, etc...? > > > > Grazie! > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists