Hi Stathis, Inline:
On Tue, Feb 04, 2014 at 02:09:05PM +0200, Stathis Gkotsis wrote: > I am mainly interested in TCP. I would like the final export to contain one > line per src_host,dst_host,src_port,dst_port,proto combination, along with > the start timestamp of the corresponding TCP connection (e.g. timestamp of > the SYN packet) and the end timestamp of the session if it has ended (e.g. > timestamp of the FIN or RST packet). Is this possible? As i was saying, yes. > Which timestamps are the timestamp_start and timestamp_end in the case of > connectionless transport protocols, e.g. UDP? timestamp_start intuitively represents the first packet captured of a connectionless transport protocol flow. timestamp_end is set basing on timeouts. You can check and/or re-set timeout values by looking at the nfprobe_timeouts config directive description in the CONFIG-KEYS doc. Cheers, Paolo > > Date: Mon, 3 Feb 2014 23:09:20 +0000 > > From: [email protected] > > To: [email protected] > > Subject: Re: [pmacct-discussion] TCP connection start timestamp and duration > > > > Hi Stathis, > > > > You do not outline what is the capturing method you intend to > > use, ie. libpcap, NetFlow/IPFIX, sFlow, etc. If using NetFlow/ > > IPFIX you are sorted already, as you just add timestamp_start > > and timestamp_end to your aggregation method to the quintuple. > > > > If using libpcap, well, a NetFlow probe helps precisely with > > creating flows out of sniffed packets. pmacct has a 'nfprobe' > > plugin for this. So the solution would be: pmacctd sniffs on > > an interface and is configured with a 'nfprobe' plugin that > > exports flows to a nfacctd daemon (co-located on the same box > > or on a different box) which, in turn, is configured to save > > data to the preferred backend and aggregate on the quintuple > > plus timestamp_start, timestamp_end. > > > > If using sFlow you might have an issue capturing the flags, > > depending on how heavily you sample. Let me know if you are > > in this case. > > > > Cheers, > > Paolo > > > > On Mon, Feb 03, 2014 at 11:28:55PM +0200, Stathis Gkotsis wrote: > > > Hi, > > > Let's say we configure pmacct to aggregate on: src ip, src port, dst ip, > > > dst port, proto. That means that it will produce flow records aggregating > > > on the TCP quintuple. > > > Would it be possible to get the start timestamp (time of TCP SYN) of a > > > TCP connection? Similarly, would it be possible to get the duration of a > > > connection (possibly the timestamp of FIN)? Is any of these things > > > possible through pmacct? > > > Thank you. > > > > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
