Hello,
Attached is a patch so that the text in EXAMPLES
is wrapped at 80 character columns so it can
be easily read in a regular sized text interface.
One example command is broken into two lines
with a trailing \ line continuation char.
One example command is too long to wrap.
Against cvs head. To apply:
cd pmacct
patch < example.patch
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
--- ../pmacct/EXAMPLES Wed Jul 16 17:38:42 2008
+++ EXAMPLES Sat Feb 28 20:46:43 2009
@@ -17,31 +17,36 @@
I. Plugins included with pmacct distribution
-As for any open and pluggable architecture, anyone could write his own plugins for pmacct;
-what follows is the list of plugins included in the official pmacct distribution. That is,
-what can do pmacct once it has collected data from the network ?
+As for any open and pluggable architecture, anyone could write his own
+plugins for pmacct; what follows is the list of plugins included in
+the official pmacct distribution. That is, what can do pmacct once it
+has collected data from the network?
-'memory': data are stored in a tunable memory table and can be fetched via the pmacct client
- tool, 'pmacct'. It also allows easily data injection into tools like GNUplot, MRTG,
- RRDtool or a Net-SNMP server.
+'memory': data are stored in a tunable memory table and can be fetched
+ via the pmacct client tool, 'pmacct'. It also allows easily
+ data injection into
+ tools like GNUplot, MRTG, RRDtool or a Net-SNMP server.
'mysql': an available MySQL database is selected for data storage.
-'pgsql': an available PostgreSQL database is selected for data storage.
-'sqlite3': an available SQLite 3.x database is selected for data storage.
-'print': data are simply pulled to standard output (ie. on the screen) in a way similar to
- tcpdump.
+'pgsql': an available PostgreSQL database is selected for data
+ storage.
+'sqlite3': an available SQLite 3.x database is selected for data
+ storage.
+'print': data are simply pulled to standard output (ie. on the screen)
+ in a way similar to tcpdump.
II. Configuring pmacct for compilation
-The simplest chance is to let the configure script to test default headers and libraries
-locations for you. However note that this will not enable any of the optional plugins, ie.
-MySQL, PostgreSQL and SQLite 3.x; at your convenience you may also enable IPv6 hooks and
-64bit counters. Let's continue with some examples; as usual, to get help and the list of
-available switches:
+The simplest chance is to let the configure script to test default
+headers and libraries locations for you. However note that this will
+not enable any of the optional plugins, ie. MySQL, PostgreSQL and
+SQLite 3.x; at your convenience you may also enable IPv6 hooks and
+64bit counters. Let's continue with some examples; as usual, to get
+help and the list of available switches:
shell> ./configure --help
-Examples on how to enable the support for (1) MySQL, (2) PostgreSQL, (3) SQLite and any (4)
-mixed compilation:
+Examples on how to enable the support for (1) MySQL, (2) PostgreSQL,
+(3) SQLite and any (4) mixed compilation:
(1) shell> ./configure --enable-mysql
(2) shell> ./configure --enable-pgsql
@@ -50,20 +55,24 @@
III. Brief SQL setup examples
-Scripts for setting up databases (MySQL, PostgreSQL and SQLite) are into the sql/ tree. Once
-there, if you need an IPv6-ready package, don't miss the 'README.IPv6' document. Examples to
-create database, tables and grant default permissions will follow.
+Scripts for setting up databases (MySQL, PostgreSQL and SQLite) are
+into the sql/ tree. Once there, if you need an IPv6-ready package,
+don't miss the 'README.IPv6' document. Examples to create database,
+tables and grant default permissions will follow.
IIIa. SQL table versioning
-pmacct version 0.7.1 introduced SQL table versioning: what is it ? It allows to introduce new
-features over the time (which translate in changes to the SQL schema) without giving the pain
-of breaking backward compatibility. Mind to specify EVERYTIME which SQL table version you
-intend to adhere to as this will strongly influence the way collected data will be written to
-the database (ie. until v5 AS numbers are written into ip_src-ip_dst table fields; since v6
-they are written to as_src-as-dst ones). Furthermore, 'sql_optimize_clauses' directive allows
-to run stripped-down versions of each SQL table thus allowing to save both disk space and CPU
-cycles required to run the SQL engine (read more about it in CONFIG-KEYS). To specify the SQL
-table version, you an use either of the following rules:
+pmacct version 0.7.1 introduced SQL table versioning: what is it ? It
+allows to introduce new features over the time (which translate in
+changes to the SQL schema) without giving the pain of breaking
+backward compatibility. Mind to specify EVERYTIME which SQL table
+version you intend to adhere to as this will strongly influence the
+way collected data will be written to the database (ie. until v5 AS
+numbers are written into ip_src-ip_dst table fields; since v6 they are
+written to as_src-as-dst ones). Furthermore, 'sql_optimize_clauses'
+directive allows to run stripped-down versions of each SQL table thus
+allowing to save both disk space and CPU cycles required to run the
+SQL engine (read more about it in CONFIG-KEYS). To specify the SQL
+table version, you an use either of the following rules:
commandline: '-v [ 1 | 2 | 3 | 4 | 5 | 6 | 7 ]'
configuration: 'sql_table_version: [ 1 | 2 | 3 | 4 | 5 | 6 | 7 ]'
@@ -71,11 +80,14 @@
To understand difference between v1, v2, v3, v4, v5 and v6 tables:
- Do you need TCP flags ? Then you have to use v7.
-- Do you need both IP addresses and AS numbers in the same table ? Then you have to use v6.
+- Do you need both IP addresses and AS numbers in the same table ?
+ Then you have to use v6.
- Do you need packet classification ? Then you have to use v5.
-- Do you need flows (other than packets) accounting ? Then you have to use v4.
+- Do you need flows (other than packets) accounting ? Then you have to
+ use v4.
- Do you need ToS/DSCP field (QoS) accounting ? Then you have to use v3.
-- Do you need agent ID for distributed accounting and packet tagging ? Then you have to use v2.
+- Do you need agent ID for distributed accounting and packet tagging ?
+ Then you have to use v2.
- Do you need VLAN traffic accounting ? Then you have to use v2.
- If all of the above point sound useless for you, then use v1.
@@ -97,9 +109,10 @@
... And so on for the newer versions.
IIIc. PostgreSQL examples
-Which user has to execute the following two scripts and how to autenticate with the PostgreSQL
-server depends upon your current configuration. Keep in mind that both scripts need postgres
-superuser permissions to execute some commands successfully:
+Which user has to execute the following two scripts and how to
+autenticate with the PostgreSQL server depends upon your current
+configuration. Keep in mind that both scripts need postgres superuser
+permissions to execute some commands successfully:
shell> cp -p *.pgsql /tmp
shell> su - postgres
@@ -113,12 +126,13 @@
... And so on for the newer versions.
-A few tables will be created into 'pmacct' DB. 'acct' ('acct_v2' or 'acct_v3') table is
-the default table where data will be written when in 'typed' mode (see 'sql_data' option
-in CONFIG-KEYS document; default value is 'typed'); 'acct_uni' ('acct_uni_v2' or
-'acct_uni_v3') is the default table where data will be written when in 'unified' mode.
-Since v6 unified mode will be no longer supported: an unique table ('acct_v6', etc.) is
-used instead.
+A few tables will be created into 'pmacct' DB. 'acct' ('acct_v2' or
+'acct_v3') table is the default table where data will be written when
+in 'typed' mode (see 'sql_data' option in CONFIG-KEYS document;
+default value is 'typed'); 'acct_uni' ('acct_uni_v2' or 'acct_uni_v3')
+is the default table where data will be written when in 'unified'
+mode. Since v6 unified mode will be no longer supported: an unique
+table ('acct_v6', etc.) is used instead.
IIId. SQLite examples
shell> cd sql/
@@ -126,8 +140,9 @@
- To create v1 tables:
shell> sqlite3 /tmp/pmacct.db < pmacct-create-table.sqlite3
-Data will be available in 'acct' table of '/tmp/pmacct.db' DB. Of course, you can change
-the database filename basing on your preferences.
+Data will be available in 'acct' table of '/tmp/pmacct.db' DB. Of
+course, you can change the database filename basing on your
+preferences.
- To create v2 tables:
shell> sqlite3 /tmp/pmacct.db < pmacct-create-table_v2.sqlite3
@@ -138,23 +153,28 @@
IV. Running the libpcap-based daemon (pmacctd)
-You can run pmacctd either with commandline options or using a configuration file. Please remember
-that sample configuration files are in examples/ tree. Note also that most of the new features are
-available only as configuration directives (so, no commandline switches). Using a configuration file
-and commandline switches is mutual exclusive. To be aware of the existing configuration directives,
-please read the CONFIG-KEYS document.
+You can run pmacctd either with commandline options or using a
+configuration file. Please remember that sample configuration files
+are in examples/ tree. Note also that most of the new features are
+available only as configuration directives (so, no commandline
+switches). Using a configuration file and commandline switches is
+mutual exclusive. To be aware of the existing configuration
+directives, please read the CONFIG-KEYS document.
Show all available pmacctd commandline switches:
shell> pmacctd -h
-Run pmacctd reading configuration from a specified file (see examples/ tree for a brief list of some
-commonly useed keys; divert your eyes to CONFIG-KEYS for the full list). This example applies to all
-other daemons too:
+Run pmacctd reading configuration from a specified file (see examples/
+tree for a brief list of some commonly useed keys; divert your eyes to
+CONFIG-KEYS for the full list). This example applies to all other
+daemons too:
shell> pmacctd -f pmacctd.conf
-Daemonize the process; listen on eth0; aggregate data by src_host/dst_host; write to a MySQL server;
-limit traffic matching only source ip network 10.0.0.0/16; note that filters work the same as tcpdump.
-So, refer to libpcap/tcpdump man pages for examples and further reading.
+Daemonize the process; listen on eth0; aggregate data by
+src_host/dst_host; write to a MySQL server; limit traffic matching
+only source ip network 10.0.0.0/16; note that filters work the same as
+tcpdump. So, refer to libpcap/tcpdump man pages for examples and
+further reading.
shell> pmacctd -D -c src_host,dst_host -i eth0 -P mysql src net 10.0.0.0/16
@@ -167,8 +187,8 @@
pcap_filter: src net 10.0.0.0/16
! ...
-Print collected traffic data aggregated by src_host/dst_host over the screen; refresh data every 30
-seconds and listen on eth0.
+Print collected traffic data aggregated by src_host/dst_host over the
+screen; refresh data every 30 seconds and listen on eth0.
shell> pmacctd -P print -r 30 -i eth0 -c src_host,dst_host
@@ -179,9 +199,10 @@
interface: eth0
! ...
-Daemonize the process; let pmacct aggregate traffic in order to show inbound vs. outbound traffic
-for network 192.168.0.0/16; send data to a PostgreSQL server. This configuration is not possible via
-commandline switches; the corresponding configuration follows:
+Daemonize the process; let pmacct aggregate traffic in order to show
+inbound vs. outbound traffic for network 192.168.0.0/16; send data to
+a PostgreSQL server. This configuration is not possible via
+commandline switches; the corresponding configuration follows:
!
daemonize: true
@@ -194,8 +215,9 @@
sql_table[out]: acct_out
! ...
-The previous example looks nice ! But how to make data historical ? Simple enough, let's suppose to
-divide traffic by hour and we wish to refresh data into the database each 60 seconds.
+The previous example looks nice ! But how to make data historical ?
+Simple enough, let's suppose to divide traffic by hour and we wish to
+refresh data into the database each 60 seconds.
!
daemonize: true
@@ -211,10 +233,12 @@
sql_history_roundoff: h
! ...
-Let's now translate the same example in the memory plugin world. It's use is valuable expecially
-when it's required to feed bytes/packets/flows counters to external programs. Examples about the
-client program will follow later in this document. Now, note that each memory table need its own
-pipe file in order to get correctly contacted by the client:
+Let's now translate the same example in the memory plugin world. It's
+use is valuable expecially when it's required to feed
+bytes/packets/flows counters to external programs. Examples about the
+client program will follow later in this document. Now, note that each
+memory table need its own pipe file in order to get correctly
+contacted by the client:
!
daemonize: true
@@ -227,34 +251,41 @@
imt_path[out]: /tmp/pmacct_out.pipe
! ...
-As a further note, check the CONFIG-KEYS document about more imt_* directives as they will help
-to tune the size of memory tables, if default values are not ok for your setup.
+As a further note, check the CONFIG-KEYS document about more imt_*
+directives as they will help to tune the size of memory tables, if
+default values are not ok for your setup.
-Now, fire multiple instances of pmacctd, each on a different interface; again, because each instance will
-have its own memory table, it will require its own pipe file for client queries aswell (as explained in
-the previous examples):
+Now, fire multiple instances of pmacctd, each on a different
+interface; again, because each instance will have its own memory
+table, it will require its own pipe file for client queries aswell (as
+explained in the previous examples):
shell> pmacctd -D -i eth0 -m 8 -s 65535 -p /tmp/pipe.eth0
shell> pmacctd -D -i ppp0 -m 0 -s 32768 -p /tmp/pipe.ppp0
-Run pmacctd logging what happens to syslog and using "local2" facility:
+Run pmacctd logging what happens to syslog and using "local2"
+facility:
shell> pmacctd -c src_host,dst_host -S local2
-NOTE: superuser privileges are needed to execute pmacctd correctly.
+NOTE: superuser privileges are needed to execute pmacctd correctly.
V. Running the NetFlow and sFlow daemons (nfacctd/sfacctd)
-All examples about pmacctd are also valid for nfacctd and sfacctd with the exception of directives that apply
-exclusively to libpcap. If you've skipped examples in section 'IV', please read them before continuing. To be
-aware of all existing configuration keys available, please read also the CONFIG-KEYS document. And now, let's
-go to the examples:
+All examples about pmacctd are also valid for nfacctd and sfacctd with
+the exception of directives that apply exclusively to libpcap. If
+you've skipped examples in section 'IV', please read them before
+continuing. To be aware of all existing configuration keys available,
+please read also the CONFIG-KEYS document. And now, let's go to the
+examples:
Run nfacctd reading configuration from a specified file.
shell> nfacctd -f nfacctd.conf
-Daemonize the process; aggregate data by sum_host (by host, summing inbound + outbound traffic); write to a
-local MySQL server. Listen on port 5678 for incoming Netflow datagrams (from one or multiple NetFlow agents).
-Let's make pmacct refresh data each two minutes and let's make data historical, divided into timeslots of 10
-minutes each. Finally, let's make use of a SQL table, version 4.
+Daemonize the process; aggregate data by sum_host (by host, summing
+inbound + outbound traffic); write to a local MySQL server. Listen on
+port 5678 for incoming Netflow datagrams (from one or multiple NetFlow
+agents). Let's make pmacct refresh data each two minutes and let's
+make data historical, divided into timeslots of 10 minutes
+each. Finally, let's make use of a SQL table, version 4.
shell> nfacctd -D -c sum_host -P mysql -l 5678
And now written the configuration way:
@@ -270,11 +301,14 @@
! ...
VI. Running the pmacct client (pmacct)
-The pmacct client is used to gather data either from a memory table. Requests and answers are exchanged via a
-pipe file; hence, security is strictly connected with pipe file permissions. Of course, when using SQL plugins
-you will just need the specific DB client tool (ie. psql, mysql, sqlite3) to make queries. Note: while writing
-queries commandline, it may happen to write characters with a special meaning for the shell itself (ie. ; or *).
-Mind to either escape ( \; or \* ) or enclose in quotes ( " ) them.
+The pmacct client is used to gather data either from a memory
+table. Requests and answers are exchanged via a pipe file; hence,
+security is strictly connected with pipe file permissions. Of course,
+when using SQL plugins you will just need the specific DB client tool
+(ie. psql, mysql, sqlite3) to make queries. Note: while writing
+queries commandline, it may happen to write characters with a special
+meaning for the shell itself (ie. ; or *). Mind to either escape ( \;
+or \* ) or enclose in quotes ( " ) them.
Show all available pmacct client commandline switches:
shell> pmacct -h
@@ -282,73 +316,94 @@
Fetch data stored into the memory table:
shell> pmacct -s
-Match data between src_host 192.168.0.10 and dst_host 192.168.0.3 and return a formatted output; display all
-fields (-a), this way the output is easy to be parsed by tools like awk/sed; each unused field will be zero-
-filled:
+Match data between src_host 192.168.0.10 and dst_host 192.168.0.3 and
+return a formatted output; display all fields (-a), this way the
+output is easy to be parsed by tools like awk/sed; each unused field
+will be zero- filled:
shell> pmacct -c src_host,dst_host -M 192.168.0.10,192.168.0.3 -a
-Similar to previous example; we request to reset data for the matched entry/ies; the server will return the
-actual counters to the client, then will reset them:
+Similar to previous example; we request to reset data for the matched
+entry/ies; the server will return the actual counters to the client,
+then will reset them:
shell> pmacct -c src_host,dst_host -M 192.168.0.10,192.168.0.3 -r
-Fetch data for IP address dst_host 10.0.1.200; we also ask for a 'counter only' output ('-N') suitable, this
-time, for injecting data in tools like MRTG or RRDtool (mind that sample scripts are in the examples/ tree).
-Bytes counter will be returned (but the '-n' switch allows also select which counter to display). If more
-entries match your request (ie. because your query is based just over dst_host but the daemon is aggregating
-by src_host/dst_host) their counters will be summed:
+Fetch data for IP address dst_host 10.0.1.200; we also ask for a
+'counter only' output ('-N') suitable, this time, for injecting data
+in tools like MRTG or RRDtool (mind that sample scripts are in the
+examples/ tree). Bytes counter will be returned (but the '-n' switch
+allows also select which counter to display). If more entries match
+your request (ie. because your query is based just over dst_host but
+the daemon is aggregating by src_host/dst_host) their counters will be
+summed:
shell> pmacct -c dst_host -N 10.0.1.200
-Another query; this time let's contact the server listening on pipe file /tmp/pipe.eth0:
+Another query; this time let's contact the server listening on pipe
+file /tmp/pipe.eth0:
shell> pmacct -c sum_port -N 80 -p /tmp/pipe.eth0
-Find all data matching host 192.168.84.133 as either their source or destination address. In particular, this
-example shows how to use wildcards and how to spawn multiple queries (each separated by the ';' symbol). Take
-care to follow the same order when specifying the primitive name (-c) and its actual value ('-M' or '-N'):
+Find all data matching host 192.168.84.133 as either their source or
+destination address. In particular, this example shows how to use
+wildcards and how to spawn multiple queries (each separated by the ';'
+symbol). Take care to follow the same order when specifying the
+primitive name (-c) and its actual value ('-M' or '-N'):
shell> pmacct -c src_host,dst_host -N "192.168.84.133,*;*,192.168.84.133"
-Find all web and smtp traffic; we are interested in have just the total of such traffic (for example, to
-split legal network usage from the total); the output will be a unique counter, sum of the partial (coming
-from each query) values.
+Find all web and smtp traffic; we are interested in have just the
+total of such traffic (for example, to split legal network usage from
+the total); the output will be a unique counter, sum of the partial
+(coming from each query) values.
shell> pmacct -c src_port,dst_port -N "25,*;*,25;80,*;*,80" -S
-Show traffic between the specified hosts; this aims to be a simple example of a batch query; note that you
-can supply, as value of both '-N' and '-M' switches, a value like: 'file:/home/paolo/queries.list': actual
-values will be read from the specified file (and they need to be written into it, one per line) instead of
-commandline:
-shell> pmacct -c src_host,dst_host -N "10.0.0.10,10.0.0.1;10.0.0.9,10.0.0.1;10.0.0.8,10.0.0.1"
+Show traffic between the specified hosts; this aims to be a simple
+example of a batch query; note that you can supply, as value of both
+'-N' and '-M' switches, a value like: 'file:/home/paolo/queries.list':
+actual values will be read from the specified file (and they need to
+be written into it, one per line) instead of commandline:
+
+shell> pmacct -c src_host,dst_host \
+ -N "10.0.0.10,10.0.0.1;10.0.0.9,10.0.0.1;10.0.0.8,10.0.0.1"
shell> pmacct -c src_host,dst_host -N "file:/home/paolo/queries.list"
VII. Running the logfile players (pmmyplay and pmpgplay)
-Examples will be shown using "pmmyplay" tool; they are same way applicable to "pmpgplay" tool. Two methods
-are supported as failover action when something fails while talking with the DB: logfiles or backup DB. Note
-that using a logfile is a simple way to overcome transient failure situations that requires human intervention
-while using a backup DB could ease the following process of data merging.
+Examples will be shown using "pmmyplay" tool; they are same way
+applicable to "pmpgplay" tool. Two methods are supported as failover
+action when something fails while talking with the DB: logfiles or
+backup DB. Note that using a logfile is a simple way to overcome
+transient failure situations that requires human intervention while
+using a backup DB could ease the following process of data merging.
Display online help and available options:
shell> pmmyplay -h
-Play the whole specified file, inserting elements in the DB and enabling debug:
+Play the whole specified file, inserting elements in the DB and
+enabling debug:
shell> pmmyplay -d -f /tmp/pmacct-recovery.dat
-Just see on the screen the content of the supplied logfile; that is, do not interact with the DB:
+Just see on the screen the content of the supplied logfile; that is,
+do not interact with the DB:
shell> pmmyplay -d -t -f /tmp/pmacct-recovery.dat
-Play a single (-n 1) element (the fifth) from the specified file (useful if just curious or, for example, a
-previously player execution has failed to write some element; remember that all element failed to be written,
-if any, will be displayed over your screen):
+Play a single (-n 1) element (the fifth) from the specified file
+(useful if just curious or, for example, a previously player execution
+has failed to write some element; remember that all element failed to
+be written, if any, will be displayed over your screen):
shell> pmmyplay -o 5 -n 1 -f /tmp/pmacct-recovery.dat
-Play all elements until the end of file, starting from element number six:
+Play all elements until the end of file, starting from element number
+six:
shell> pmmyplay -o 6 -f /tmp/pmacct-recovery.dat -p ohwhatanicepwrd
VIII. Quickstart guide to packet classifiers
-pmacct 0.10.0 sees the introduction of a new packet classification feature. The approach is fully extensible:
-classification patterns are based over regular expressions (RE), human-readable, must be placed into a common
-directory and have a .pat file extension. Many patterns for widespread protocols are available and are just a
-click away. Furthermore, you can write your own patterns (and share them with the active L7-filter project's
-community). Don't miss a visit to the L7-filter project homepage, http://l7-filter.sourceforge.net/ .
+pmacct 0.10.0 sees the introduction of a new packet classification
+feature. The approach is fully extensible: classification patterns are
+based over regular expressions (RE), human-readable, must be placed
+into a common directory and have a .pat file extension. Many patterns
+for widespread protocols are available and are just a click
+away. Furthermore, you can write your own patterns (and share them
+with the active L7-filter project's community). Don't miss a visit to
+the L7-filter project homepage, http://l7-filter.sourceforge.net/.
Now, the quickstarter guide:
a) download pmacct
@@ -357,19 +412,23 @@
b) compile pmacct
shell> cd pmacct-x.y.z; ./configure && make && make install
-c-1) download regular expression (RE) classifiers as-you-need them: you need just to point your browser to
+c-1) download regular expression (RE) classifiers as-you-need them:
+ you need just to point your browser to
http://l7-filter.sourceforge.net/protocols/ then:
shell> cd /path/to/classifiers/
shell> wget http://l7-filter.sourceforge.net/layer7-protocols/protocols/[ protocol ].pat
-c-2) download all RE classifiers: point your browser to http://sourceforge.net/projects/l7-filter (and take
- to the latest Protocol definitions tarball).
+c-2) download all RE classifiers: point your browser to
+ http://sourceforge.net/projects/l7-filter (and take to the latest
+ Protocol definitions tarball).
-c-3) download shared object (SO) classifiers (written in C) as-you-need them: you need just to point your
- browser to http://www.pmacct.net/classification/ , download the available package, extract files and
- compile things following INSTALL instructions. When everything is finished, install the produced shared
- objects:
+c-3) download shared object (SO) classifiers (written in C)
+ as-you-need them: you need just to point your browser to
+ http://www.pmacct.net/classification/ , download the available
+ package, extract files and compile things following INSTALL
+ instructions. When everything is finished, install the produced
+ shared objects:
shell> mv *.so /path/to/classifiers/
@@ -401,19 +460,24 @@
shell> pmacctd -f /path/to/configuration/file
- You can now play with the SQL or pmacct client; furthermore, you can add/remove/write patterns and load
- them by restarting the pmacct daemon. If using the memory plugin you can check out the list of loaded
- plugins with 'pmacct -C'. Don't underestimate the importance of 'snaplen', 'pmacctd_flow_buffer_size',
- and 'pmacctd_flow_buffer_buckets' values; get the time to take a read about them in the CONFIG-KEYS
- document.
+ You can now play with the SQL or pmacct client; furthermore, you
+ can add/remove/write patterns and load them by restarting the
+ pmacct daemon. If using the memory plugin you can check out the
+ list of loaded plugins with 'pmacct -C'. Don't underestimate the
+ importance of 'snaplen', 'pmacctd_flow_buffer_size', and
+ 'pmacctd_flow_buffer_buckets' values; get the time to take a read
+ about them in the CONFIG-KEYS document.
IX. Quickstart guide to setup a NetFlow agent/probe
-pmacct 0.11.0 sees the introduction of new probing capabilities, both on NetFlow and sFlow sides.
-Exporting traffic data from multiple probes through NetFlow to a collector (one or a set of them)
-is efficient and highly beneficial from a network management standpoint. NetFlow v9 adds further
-flexibility by allowing to transport custom informations (for example, pmacctd NetFlow probe can
-send flow classification tag to a remote collector). Now, the quickstarter guide:
+pmacct 0.11.0 sees the introduction of new probing capabilities, both
+on NetFlow and sFlow sides. Exporting traffic data from multiple
+probes through NetFlow to a collector (one or a set of them) is
+efficient and highly beneficial from a network management
+standpoint. NetFlow v9 adds further flexibility by allowing to
+transport custom informations (for example, pmacctd NetFlow probe can
+send flow classification tag to a remote collector). Now, the
+quickstarter guide:
a) usual initial steps: download pmacct, unpack it, compile it.
@@ -433,13 +497,15 @@
! snaplen: 700
!...
- This is very simple (and working) configuration. You can complicate it by adding features. 1) you
- can generate AS numbers by uncommenting 'networks_file' line, crafting a proper Networks File and
- piling up 'src_as,dst_as' to the 'aggregate' directive; 2) you can embed flow classification
- informations in your NetFlow v9 datagrams by uncommenting 'classifiers' and 'snaplen' lines,
- setting up a proper directory for your classification patterns and piling up 'class' to the
- 'aggregate' directive; 3) you can add L2 (MAC addresses, VLANs) informations to your NetFlow v9
- flowsets.
+ This is very simple (and working) configuration. You can complicate
+ it by adding features. 1) you can generate AS numbers by
+ uncommenting 'networks_file' line, crafting a proper Networks File
+ and piling up 'src_as,dst_as' to the 'aggregate' directive; 2) you
+ can embed flow classification informations in your NetFlow v9
+ datagrams by uncommenting 'classifiers' and 'snaplen' lines,
+ setting up a proper directory for your classification patterns and
+ piling up 'class' to the 'aggregate' directive; 3) you can add L2
+ (MAC addresses, VLANs) informations to your NetFlow v9 flowsets.
c) build NetFlow collector configuration, using nfacctd:
!
@@ -458,14 +524,17 @@
X. Quickstart guide to setup a sFlow agent/probe
-pmacct 0.11.0 sees the introduction of new probing capabilities, both on NetFlow and sFlow sides.
-Even if interested in sFlow, take a moment to read the previous chapter. Furthermore, steps a/c/d
-will be cut as they are very similar to the previous example. sFlow relies heavily on random packet
-sampling rather than joining proper sets of packets into shared flows; this less-stateful and light
-approach makes it a valuable export protocol expecially tailored for high-speed networks. Further,
-you can exploit the great flexibility offered by sFlow v5 for, ie., embedding packet classification
-informations or adding basic (ie. src_as, dst_as) Extended Gateway informations through the use of
-a 'networks_file'. Now, the quickstarter guide:
+pmacct 0.11.0 sees the introduction of new probing capabilities, both
+on NetFlow and sFlow sides. Even if interested in sFlow, take a
+moment to read the previous chapter. Furthermore, steps a/c/d will be
+cut as they are very similar to the previous example. sFlow relies
+heavily on random packet sampling rather than joining proper sets of
+packets into shared flows; this less-stateful and light approach makes
+it a valuable export protocol expecially tailored for high-speed
+networks. Further, you can exploit the great flexibility offered by
+sFlow v5 for, ie., embedding packet classification informations or
+adding basic (ie. src_as, dst_as) Extended Gateway informations
+through the use of a 'networks_file'. Now, the quickstarter guide:
b) build sFlow probe configuration, using pmacctd:
!
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
