Hello Gabriele, On Mon, Oct 10, 2005 at 11:24:03AM +0200, [EMAIL PROTECTED] wrote:
> I'm running Debian 3.1, so I'm using pmacct v 0.7.4. I don't need all > the $things_for_the_big_boys pmacct provides, so I'm happy with this old > version( lazy tor recompile ;) ). hehe, last pmacct versions have same dependencies as long-timed ones: libpcap. MySQL libraries and/or PostgreSQL ones if you wish to enable such plugins. In my (very) personal opinion, upgrading to 0.8.8 would be a good idea. > 1 - I have tried sql_history=365d. Does this mean that if a similar > transaction occurs again in 365days, it will not be a new record, but > pmacct will update the above two records ? Precisely. If you also play around the 'sql_history_roundoff' key, you will be able to see a nice '01-01-2005 00:00:00' in your stamp_inserted field (depending on the daylight settings it may happen you will see 31-12-2004 23:00:00'): sql_history: 365d sql_history_roundoff: M Then, after one year a new record will be started. The two timestamp fields work as follows: 'stamp_inserted' records the basetime of the actual historical timeslot (sql_history and sql_history_roundoff) and 'stamp_updated' records the last time something has been written into such record. > 2 - Does pmacct have the possibility to log totals for _every_ tcp > transaction, I mean SYN, SYN/ACK, data...., END ? (Ok, if you prefer i > reformulate the question: how does pmacct logs totals for two ports pair ?) No, pmacct does not support sessions and tcp flags (it's just half the truth, but they aren't used for such purposes). Some Pre-Tagging rules may be arranged to figure out how many times your services get contacted (for example by counting SYNs) but definitely pmacct is not aimed to do either deep packet inspection or session reconstruction. > 2 - I've seen in the docs that, if I wish to differentiate inbound and > outbound traffic, I have to log to different database tables using: > > aggregate[inbound]: dst_host > aggregate[outbound]: src_host > plugins: mysql[inbound], mysql[outbound] > sql_table[inbound]: acct_in > sql_table[outbound]: acct_out > > Is this the only way ? No in/out column ? Using SQL tables >= v2 you have the 'agent_id' field which is aimed to contain some tags (computed/assigned by Pre-Tagging and Post-Tagging). Tags may express the concept of direction by intercepting either incoming or outcoming traffic: the alternative way to go is using Pre-Tagging as follows: pmacctd.conf: === ... aggregate: tag,src_host,dst_host plugins: mysql sql_table: acct_v2 sql_table_version: 2 pre_tag_map: pretag.map networks_file: networks.lst ... === pretag.map === id=1 filter='src net <your local network>' id=2 filter='dst net <your local network>' === networks.lst === <your local network> === Examples of pretag.map and networks.lst are available in the 'examples' tree of any pmacct tarball (once more, use a recent version). Pre-Tagging allows you to assign the ID '1' to outcoming traffic and '2' to incoming one. The networks file allows you to push out from your aggregates foreign hosts/networks. Just one plugin, just one table, slightly more complicated configuration. Cheers, Paolo
