Hi Paolo, On Wed, 18 Oct 2006, Paolo Lucente wrote:
>> I'd be interested to know if anyone has combined layer 7 classification >> with pmacct's traffic aggregation. For example, I would like to combine >> all Kazaa traffic (per minute) into a single counter. > > It's already there, you can get a look to the "VIII. Quickstart guide to > packet classifiers" chapter in EXAMPLES. Thanks for pointing me towards that, and apologies for the delay in replying. I also found a link to [http://www.pmacct.net/classification/] which was quite well hidden on the main pmacct web page :-) and which explained what I needed to know: an overview of how the existing structure works. > Yes, traffic shaping between interfaces should be better done in kernel. > And i fully agree with you: doing the job twice is not great idea. So, > if you can see a way to, say, get the flows from libpcap and > classification infos from the kernel, just let me/us know as it sounds a > good idea! OK, I have some idea of how this might work. Harald Welte, one of the Netfilter developers, has proposed a system for accounting flows in the kernel as part of Netfilter's Conntrack code. He presented a paper on this at LinuxTag 2005, which unfortunately is not available online in PDF form (since LinuxTag apparently charges for access to conference papers). I generated an HTML version and attached it here: [http://bmo.aidworld.org/attach/Chris/paper.html] Basically this means that the Linux kernel will be keeping track of flows, and can notify user space about flow events. Combined with IPP2P or L7-filter, we will have all the information that we need in the kernel, and efficient access to it from user space. So what I'm considering is to create a new version of pmacctd (like sfacctd, nfacctd) called ctacctd, which reads flow information from the kernel rather than from pcap, etc. Otherwise it would have the same data storage backend and processing tools as the pmacct suite. I hope that it could be included in the pmacct suite, even if it only works on Linux. The use of Layer 7 inspection in Netfilter gives us a powerful advantage, because we can monitor and shape traffic on the same box, with minimal reclassification. Perhaps it can be ported to the BSDs, etc, if I can figure out how to access the connection tracking system from user space. I'm currently on contract to an organisation in Kenya which is currently using flowc for traffic monitoring. Flowc has a powerful user interface and graphs, but it's extremely difficult to set up, and only works with Cisco routers using Netflow. I'm considering implementing some of this functionality for the pmacct suite. I'm still concerned about the performance of the MySQL plugin with threading, so I'm considering providing an option to disable the extra threads, and run updates synchronously. I'd be very interested to hear your comments on these ideas. Thanks in advance. Cheers, Chris. -- (aidworld) chris wilson | chief engineer (http://www.aidworld.org) _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists