On Mon, Apr 10, 2006 at 09:27:53PM +0100, Gaby vanhegan wrote:
> On 10 Apr 2006, at 17:29, Joachim Schipper wrote:
>
> >> The only problem here is that I'm running 3.6 and pmacct requires
> >> libpcap >= 0.6, and 0.3 is what I have. I can't do an upgrade at the
> >> moment, there's too many variables, but if I were to build libpcap
> >> from source, would it clobber the version that's currently installed
> >> and break other programs?
> >
> > The OpenBSD libpcap is a pretty heavily hacked version - most
> > should be
> > in it.
>
> It appears to be missing the function pcap_open_dead(), so I presume
> the 3.6 libpcap version is a touch behind the 0.6 version that pmacct
> requires.
>
> > Of course, that looks like it's time for a port. ;-)
> > Or just go with pfflowd, or somesuch.
>
> I already had a nice little system setup using pmacct to dump data
> into an SQL db. It would seem that using pfflowd and flowd together
> could replace that part of the system, and the data analysis part
> remains the same.
>
> The only difference here is that pfflowd would capture traffic at the
> firewall stage, whereas pmacct captures it directly at the
> interface. A little more glue required, but it could be made to do
> the same job.
Actually, since the firewall would do most of the packet processing,
it's quite likely to be faster, too.
Joachim
