Hi,
Let's say I use the following in a pcap pmacctd-in instance :
plugins: mysql[in]
!
networks_file[in]: /usr/local/pmacct/etc/networks.def
aggregate[in]: tag,dst_host
!
sql_db[in]: pmacct
sql_recovery_backup_host[in]: 127.0.0.1
!
sql_table[in]: acct_v2_in_%Y%m%d
sql_optimize_clauses[in]: true
sql_table_schema[in]: /usr/local/pmacct/etc/acct_custom_in.schema
And likewise a pcap pmacctd-out instance :
plugins: mysql[out]
!
networks_file[out]: /usr/local/pmacct/etc/networks.def
aggregate[out]: tag,src_host
!
sql_db[out]: pmacct
sql_recovery_backup_host[out]: 127.0.0.1
!
sql_table[out]: acct_v2_out_%Y%m%d
sql_optimize_clauses[out]: true
sql_table_schema[out]: /usr/local/pmacct/etc/acct_custom_out.schema
So networks.def contains our RIPE assigned prefixes (eg. /17, /18, /19, etc),
and the traffic is aggregated per host (/32) of our own prefix only.
The problem is that I have traffic from our own prefixes coming in from both
sides of the link that is monitored.
And I need to exclude traffic between our own prefixes.
I'm not 100% suire how to accomplish this.
Writing a pcap_filter is not a very viable solution, since networks.def
contains a lot of prefixes.... so it would become very large,
and hence very error prone...
Same seems to be the case for aggregate_filter, unless.... I totally haven't
understood what this option does and how to correctly write it :)
Basically I'm looking for something like this :
ignore_src_to_dst: /usr/local/pmacct/etc/networks.def
And then in very basic pseudo code :
if(match_ignore_src_to_dst(src_addr) && match_ignore_src_to_dst(dst_addr)) {
# simply ignore this packet since src and dst matches our local network
prefixes
next;
}
Last but not least : I haven't built the above config myself, so I'm not sure
if the 'tag' in 'aggregate' is necessary at this moment ?
Thanks for any hints & advice :)
Best regards,
Wouter
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
