Hello guys,
i'm happy to share with you some news about the next release of pmacct.
The 0.9 release is ended with the year 2005 and a very stable version,
0.9.6.
The main thing to notice for the upcoming 0.10.0 release will be the
introduction of a pair of new strictly connected features:
* a packet classification engine; classification happens against the
application layer data (that is, packet payload) and is based on
regular expression patterns from the great L7-filter project.
Patterns for widespreaded protocols are just a click away, just need
to be downloaded from http://l7-filter.sourceforge.net/protocols .
* Connection tracking modules that will allow to better classification
for protocols that use a control channel to spawn data channels (e.g.
for file transfers, voice stream, etc.) like ftp.
I wish to signal you that a first pre-release of the 0.10.0rc1 (which
i hope to roll-out early next week) is available for download at the
following URL (not linked from the homepage):
http://www.ba.cnr.it/~paolo/pmacct/pmacct-0.10.0rc1-20060120.tar.gz
It seems stable and working to my eyes. Documentation about the new
features is quite final. Even if starting from tomorrow and for the
next week i will be less responsive than the usual, I will be happy
to hear from you about the work done: critics, comments, reports, etc.
RC1 is not including connection tracking modules. There is much work
still to do and before the very-very-final 0.10.0, i think we will see
a RC2 around. Pending items include a general refurbishment of
Pre-Tagging capabilities as suggested by Nitzan Tzelniker.
Let me append a fragment of text from the quickstart guide for packet
classification included into the EXAMPLES:
===
a) download pmacct
shell> wget http://www.ba.cnr.it/~paolo/pmacct/pmacct-x.y.z.tar.gz
b) compile pmacct
shell> cd pmacct-x.y.z; ./configure && make && make install
c) download required classifiers: point your browser to
http://l7-filter.sourceforge.net/protocols/ then:
shell> cd /path/to/classifiers/
shell> wget
http://l7-filter.sourceforge.net/layer7-protocols/protocols/protocol.pat
d-1) build pmacct configuration, a memory table example:
!
daemonize: true
interface: eth0
aggregate: flows, class
plugins: memory
classifiers: /path/to/classifiers/
snaplen: 200
!...
d-2) build pmacct configuration, a SQL example:
!
daemonize: true
interface: eth0
aggregate: flows, class
plugins: mysql
classifiers: /path/to/classifiers/
snaplen: 200
sql_history: 1h
sql_history_roundoff: h
sql_table_version: 5
sql_aggressive_classification: true
!...
===
They are very basic configurations; however, just as an example, take
a look to the following output:
pmacct=> SELECT class_id, packets, bytes, flows FROM acct_v5 \
ORDER BY bytes DESC;
class_id | packets | bytes | flows
------------------+----------+-------------+---------
nntp | 14245024 | 14758424124 | 328
http | 11678078 | 8722217631 | 428388
edonkey | 8292778 | 5909051438 | 248356
smtp | 15460997 | 4061993913 | 952535
bittorrent | 5657424 | 3125259957 | 7778
ssh | 2437588 | 2245904695 | 152
pop3 | 2214084 | 1599612194 | 35480
unknown | 1566522 | 1015851210 | 124392
gnutella | 1072512 | 856039552 | 8764
ssl | 735057 | 443689492 | 29884
dns | 1818847 | 169026637 | 300773
rtsp | 434255 | 132161314 | 38
shoutcast | 171207 | 94609757 | 6
nbns | 370644 | 73851248 | 14389
ftp | 134655 | 48444983 | 1276
imap | 158833 | 47392297 | 432
smb | 36661 | 8207056 | 17797
msn-msgr | 65498 | 4852394 | 344
fasttrack | 3140 | 2544228 | 30
telnet | 29133 | 2005704 | 44
yahoo | 4484 | 438868 | 16
aim | 3412 | 308644 | 110
socks | 2161 | 265721 | 744
jabber | 1016 | 117596 | 4
x11 | 201 | 17115 | 26
vnc | 9 | 496 | 2
(26 rows)
Cheers,
Paolo
