Hi, First, let me say I'm using nfacctd (0.10.3) to receive NetFlow packets from a Packeteer Packetshaper, which is sending NetFlow v5 packets. It also supports two versions of a proprietary format, which I haven't looked into. (maybe a future project...)
Second, let me describe my goal. I want to get a rough idea of how many hosts within my network are active and in use during any specific interval. Once I get some history I can create a web report or something pretty. So I'm using two instances of an sql plugin , one is aggregating on src_host and the other is aggregating on dst_host. Each has an aggregate filter of my class-b network. Every 15 minutes I push to a local MySQL db. This seems a good balance between memory usage and sql traffic, and the db grows about 15 MB per day. However I'm concerned that a large number of flows are ICMP-Unreachable messages in responses to invalid connection requests. For my purposes, I'd rather not consider these hosts as "active". But I'm aggregating... I would like to only use netflow records about certain types of traffic. Is it possible to use some sort of filter to limit which netflow records are evaluated? Thanks! -Matt -- Matt Richard Access and Security Coordinator Computing Services Franklin & Marshall College [EMAIL PROTECTED] (717) 291-4157 _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
