Re: [pmacct-discussion] Can pmacctd track and group flows around a detected common destination port?

Tue, 01 Nov 2016 18:08:11 -0700 

Hi Hiep,

sum_port may somehow come to the rescue but ymmv with it; it may very
well start doing sums for all ports, ie. 18051, 55932, 55933, etc. So
18051 will contain your 8 packets but then, unless port 18051 is
meaningful to you, so that you can trash all the rest (on query), it may
lead to problems, ie. over-counting of traffic if you ever dare doing
totals. Most probably you are looking for an ad-hoc feature for this -
for which i'd be looking for some extra information, ie. how to do the
grouping? by volume? by filtering? etc., that we can exchange 1:1.  

Cheers,
Paolo

On Tue, Nov 01, 2016 at 03:00:27PM +0000, Hiep Huynh wrote:
> 
> Greetings Paolo,
> 
> 
> Currently, pmacctd reports traffic going each direction as follows when 
> aggregating on src_host, dst_host, src_port, dst_port, and protocol:
> 
> SRC_IP           DST_IP           SRC_PORT  DST_PORT  PROTOCOL    PACKETS     
>           BYTES
> 
> 10.0.22.19       10.0.22.163      55932     18051     tcp         2           
>           1445
> 
> 10.0.22.163      10.0.22.19       18051     55932     tcp         1           
>           1371
> 
> 10.0.22.19       10.0.22.163      55933     18051     tcp         4           
>           6904
> 
> 10.0.22.163      10.0.22.19       18051     55933     tcp         1           
>           290
> 
> 
> 
> 
> We can see that 10.0.22.19 is a client that's opening random ports in order 
> to communicate to the same service port (18051) on 10.0.22.163. The service 
> on 18051 responds in return resulting in traffic going the opposite 
> direction. My DESIRED RESULT would be the summation of all traffic involving 
> a detected common destination port (in this case 18051):
> 
> SRC_IP           DST_IP           DST_PORT  PROTOCOL    PACKETS               
> BYTES
> 
> 10.0.22.19       10.0.22.163      18051     tcp         8                     
> 10010
> 
> 
> If I omit src_port then aggregate only on src_host, dst_host, dst_port, and 
> protocol, I get the following output that has two extra rows that I would 
> like to be summed into the first row:
> 
> SRC_IP           DST_IP           DST_PORT  PROTOCOL    PACKETS               
> BYTES
> 
> 10.0.22.19       10.0.22.163      18051     tcp         6                     
> 8349
> 
> 10.0.22.163      10.0.22.19       55932     tcp         1                     
> 1371
> 
> 10.0.22.163      10.0.22.19       55933     tcp         1                     
> 290
> 
> 
> Is there a way for pmacctd to track the traffic and group the flows to 
> produce an aggregate like my desired result? Can anyone suggest how this can 
> be accomplished WITHIN pmacctd using any combination of config 
> keys/directives like aggregate, pcap_filter, aggregate_filters, etc...?
> 
> 
> 
> Grazie!
> 

> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to