I use nfacctd+bwstat to count traffic, based on netflow. I have the following lines on my conf-file:
aggregate[in]: dst_host aggregate[out]: src_host aggregate_filter[in]: dst net 192.168.88.0/16 aggregate_filter[out]: src net 192.168.88.0/16 plugins: mysql[in], mysql[out] Still, in MySQL i have (a lot of) lines like the following: | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 109.107.91.158 | 0 | 0 | ip | 1 | 309 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 71.228.40.130 | 0 | 0 | ip | 1 | 305 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 94.24.134.127 | 0 | 0 | ip | 1 | 305 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 0.0.0.0 | 188.112.79.97 | 0 | 0 | ip | 1 | 305 | 2010-11-10 16:50:00 | 2010-11-10 16:59:02 | No MACs ? i guess it's OK with netflow. But why does it log ips which have neither src_ip nor dst_ip in 192.168.88.0/16 ? Btw, anybody can tell me, why do i have so many connections to 0.0.0.0? it's a router, has no brains. (even no ping ability) So even if some ugly bruteforcer gets it's login|pass he won't be able to ddos someone. -- -- -------------------------- Yours, Lockywolf _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
