Hey Wim, i think the whole idea beside doing such kind of accounting, is to implement 'light' protocol dissectors. You may agree with me that even filtering out much of the ports and counting in only packets to ports, say, '80', '25', etc. it's just half the story and it may not point out the real status of who is using what service.
Any kind of dissector has been (and definitely is) out of the scope of pmacct, but we may consider their introduction. It's since a while that i'm silently considering to allow some content-based accounting, i was thinking to external templates (thus, to be loaded in memory at runtime) easy to be user-contributed and extended rather than the C builtins. The idea would be to run dissectors (but only if it's required to do, otherwise work without them); the dissector that matches the packet, flags it in a meaningful way (maybe with a small positive integer ?); this flag gets written in a new (two bytes large ?) field into the DB. So, anyone has comments, ideas, experiences or proposals on the argument ? Cheers, Paolo
