Hello Soffi, i would try with a setup like the following one: ... networks_file: <your_AS_file> plugin_pipe_size: 1024000 plugin_buffer_size: 8192 plugins: mysql[in], mysql[out] ! aggregate[in]: dst_host,src_as aggregate_filter[in]: dst net 157.157.x.x/24 sql_table[in]: acct_in ! aggregate[out]: src_host,dst_as aggregate_filter[out]: src net 157.157.x.x/24 sql_table[out]: acct_out ...
So, let's give some explanations on it. The choice of MySQL is just personal. The above configuration spawns two plugins: the 'out' logs the traffic produced by each host on your network in the 'acct_out' table; destinations are clustered into AS numbers (specified into the networks definition file; don't forget to insert your own 157.157.x.x network into the list). The 'in' logs into the 'acct_in' table does the reverse. The configuration is also 'scalable' in the sense that joining up results of the two tables should be simple and would allow to get either total traffic per host and statistics about thewhole network. Moreover, when an host on your network contacts (or is contacted) by an host which is outside the AS numbers listed in the 'networks_file', then the remote host is rewritten as '0', which is a pretty way to express the 'rest of the world'. Hope it helps. Cheers, Paolo
