Read forwarded messages.
---------- Forwarded message ---------- From: Paolo Lucente <pa...@pmacct.net> Date: Aug 10, 2007 8:11 PM Subject: Re: [pmacct-discussion] pmacct and iptables' mark To: pmacct-discussion@pmacct.net Hi Alexander, i'm not familiar with iptables, so i'll just line up some thoughts - hoping they could apply. In case iptables marks packets using the standard IP ToS field, it's pretty straightforward to intercept such traffic - by any 3rd party application, not only pmacct. If the above holds and you need to aggregate (not filter) the marked traffic, it's as easy as instructing pmacct to do so: aggregate[city]: tos If, instead, you need to filter such traffic but intend to aggregate it in some other way, then, you will need to resort to the libpcap- style filter encoded in the aggregate_filter directive: aggregate_filter: 'ip[1] & 0x10 != 0' the above, for example, will select only IP packets with a value of 0x10 in the IP ToS field. Be careful, as you might need to escape some characters or remove the '' to make it working properly in the configuration file. If iptables doesn't make use the IP ToS field then intercepting the tags grossly depends on how and where they are encoded. In such a case, feel free to point at some documentation that briefly explains. Hope it helps. Cheers, Paolo On Wed, Aug 08, 2007 at 04:50:02PM +0500, ?????????????????? ??. ???????????? wrote: > I have to aggregate all packets marked by iptables like this: > iptables -t mangle -A FORWARD -s 91.196.76.32/27 -j MARK --set-mark 5 > ...and also some amount of mark rules. > > But I didn't find any information about libpcap/tcpdump expression for > iptables' marks. There is some BSD's pf marks but I'm running Linux. > > Now I resolved this task, but I think this is not very good idea: > aggregate_filter[city]: dst net 192.168.2.0/24 and src net > (195.158.8.32/30 or 195.158.5.4/30 or ... [also very lot of nets] ... > or 89.146.64.0/18) > > -- > Alexander Merniy On 12/11/08, Svavar Örn Eysteinsson <sva...@fiton.is> wrote: > Hi. > > How can I collect only "international" traffic from pmacct ? > I have all the Icelandic Networks in my network file > and would like to filter only 0.0.0.0 traffic into my LAN, > 192.168.1.0/24 > and from my LAN. e.g. incoming and outgoing international traffic > > Is that possible ? > > My sql database includes both domestic and 0.0.0.0 data, but my domestic > data collection is useless. > > My current config is : > > interface:eth1 > daemonize:false > promisc:false > interface_wait:true > plugins:mysql[in], mysql[out] > plugin_pipe_size: 1024000 > plugin_buffer_size: 8192 > sql_host:sqlserver > sql_user:username > sql_passwd:password > sql_db:databasename > sql_table_version: 1 > sql_refresh_time: 60 > sql_history: 5m > sql_history_roundoff: h > sql_optimize_clauses: true > sql_dont_try_update: false > sql_recovery_logfile[in]: /opt/pmacct/recovery-in.sql > sql_recovery_logfile[out]: /opt/pmacct/recovery-out.sql > sql_table_schema: /opt/pmacct/schema/tables.sql > networks_file: /opt/pmacct-fiton/etc/icelandic-networks.txt > ports_file: /opt/pmacct-fiton/etc/ports > > aggregate[in]: dst_host,src_host,dst_port,src_port > aggregate_filter[in]: dst net 192.168.1.0/24 > sql_table[in]: acct_in_%d_%m_%Y > aggregate[out]: src_host,src_port,dst_host,dst_port > aggregate_filter[out]: src net 192.168.1.0/24 > sql_table[out]: acct_out_%d_%m_%Y > > > Thanks in advance. > > Best regards, > > Svavar > > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > -- С наилучшими регардами, Александр _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
