Re: [pmacct-discussion] TCP connection start timestamp and duration

Tue, 04 Feb 2014 04:11:24 -0800 


Hi Paolo,
thanks for your answer. 
My setup:
  One instance of pmacctd is running with the following configuration:
daemonize: falseaggregate: src_host,dst_host,src_port,dst_port,protointerface: 
any
plugins: nfprobenfprobe_receiver: 192.168.22.187:10000nfprobe_version: 9
plugin_pipe_size: 8388608plugin_buffer_size: 16384


  Another instance of nfacctd is running with the following configuration:
daemonize: falseaggregate: 
src_host,dst_host,src_port,dst_port,proto,timestamp_start,timestamp_end
nfacctd_ip: 192.168.22.187nfacctd_port: 10000
plugins: print
print_refresh_time: 30print_output: csvprint_output_file: 
/root/pmacct_all/file.%s.%Y%m%d-%H%M.txtprint_time_roundoff: 
mhdprint_cache_entries: 1008563
plugin_pipe_size: 8388608plugin_buffer_size: 16384

I am mainly interested in TCP. I would like the final export to contain one 
line per src_host,dst_host,src_port,dst_port,proto combination, along with the 
start timestamp of the corresponding TCP connection (e.g. timestamp of the SYN 
packet) and the end timestamp of the session if it has ended (e.g. timestamp of 
the FIN or RST packet). Is this possible?
Which timestamps are the  timestamp_start and timestamp_end in the case of 
connectionless transport protocols, e.g. UDP?

Thank you,Stathis
> Date: Mon, 3 Feb 2014 23:09:20 +0000
> From: [email protected]
> To: [email protected]
> Subject: Re: [pmacct-discussion] TCP connection start timestamp and duration
> 
> Hi Stathis,
> 
> You do not outline what is the capturing method you intend to
> use, ie. libpcap, NetFlow/IPFIX, sFlow, etc. If using NetFlow/
> IPFIX you are sorted already, as you just add timestamp_start
> and timestamp_end to your aggregation method to the quintuple.
> 
> If using libpcap, well, a NetFlow probe helps precisely with
> creating flows out of sniffed packets. pmacct has a 'nfprobe'
> plugin for this. So the solution would be: pmacctd sniffs on
> an interface and is configured with a 'nfprobe' plugin that
> exports flows to a nfacctd daemon (co-located on the same box
> or on a different box) which, in turn, is configured to save
> data to the preferred backend and aggregate on the quintuple
> plus timestamp_start, timestamp_end. 
> 
> If using sFlow you might have an issue capturing the flags,
> depending on how heavily you sample. Let me know if you are
> in this case.
> 
> Cheers,
> Paolo
> 
> On Mon, Feb 03, 2014 at 11:28:55PM +0200, Stathis Gkotsis wrote:
> > Hi,
> > Let's say we configure pmacct to aggregate on: src ip, src port, dst ip, 
> > dst port, proto. That means that it will produce flow records aggregating 
> > on the TCP quintuple.
> > Would it be possible to get the start timestamp (time of TCP SYN) of a TCP 
> > connection? Similarly, would it be possible to get the duration of a 
> > connection (possibly the timestamp of FIN)? Is any of these things possible 
> > through pmacct?
> > Thank  you.
> >                                       
> 
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
> 
> 
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

                                          
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists





















					Reply via email to