Hi!
I would like to account data (src_ip, dst_ip, src_port, dst_port,
ip_proto, tcp_flags and time ) to mysql database. Every packet in new
row (no UPDATE's, only INSERT's).
My configuration:
daemonize: true
pidfile: /var/run/pmacctd.pid
syslog: daemon
promisc: true
interface: eth2
aggregate[kancelaria]: src_host, dst_host, src_port, dst_port, proto,
tcpflags
plugins: mysql[kancelaria]
sql_db: pmacct
sql_optimize_clauses: true
sql_table[kancelaria]: kancelaria
sql_user: root
sql_passwd: toor
sql_dont_try_update: true
sql_refresh_time: 1
sql_history: 1d
Table:
create table pmacct.kancelaria (
id INT(4) UNSIGNED NOT NULL AUTO_INCREMENT,
ip_src CHAR(15) NOT NULL,
ip_dst CHAR(15) NOT NULL,
src_port INT(2) UNSIGNED NOT NULL,
dst_port INT(2) UNSIGNED NOT NULL,
ip_proto CHAR(6) NOT NULL,
tcp_flags INT(4) UNSIGNED NOT NULL,
packets INT UNSIGNED NOT NULL,
bytes BIGINT UNSIGNED NOT NULL,
stamp_inserted DATETIME NOT NULL,
stamp_updated DATETIME,
PRIMARY KEY (id)
) TYPE=MyISAM AUTO_INCREMENT=1;
Some data:
mysql> select * from kancelaria limit 20;
+----+--------------+--------------+----------+----------+----------+-----------+---------+-------+---------------------+---------------------+
| id | ip_src | ip_dst | src_port | dst_port | ip_proto |
tcp_flags | packets | bytes | stamp_inserted | stamp_updated |
+----+--------------+--------------+----------+----------+----------+-----------+---------+-------+---------------------+---------------------+
| 1 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:07 |
| 2 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:07 |
| 3 | 192.168.56.1 | 192.168.56.2 | 2644 | 22 | tcp
| 24 | 24 | 2136 | 2010-08-16 20:05:00 | 2010-08-16 20:33:07 |
| 4 | 192.168.56.2 | 192.168.56.1 | 22 | 2644 | tcp
| 24 | 31 | 3328 | 2010-08-16 20:05:00 | 2010-08-16 20:33:07 |
| 5 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:08 |
| 6 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:08 |
| 7 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:09 |
| 8 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:09 |
| 9 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:10 |
| 10 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:10 |
| 11 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:11 |
| 12 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:11 |
| 13 | 192.168.56.1 | 192.168.56.2 | 2644 | 22 | tcp
| 24 | 4 | 264 | 2010-08-16 20:05:00 | 2010-08-16 20:33:12 |
| 14 | 192.168.56.2 | 192.168.56.1 | 22 | 2644 | tcp
| 24 | 2 | 888 | 2010-08-16 20:05:00 | 2010-08-16 20:33:12 |
| 15 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:12 |
| 16 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:12 |
| 17 | 192.168.56.1 | 192.168.56.2 | 2644 | 22 | tcp
| 24 | 10 | 712 | 2010-08-16 20:05:00 | 2010-08-16 20:33:13 |
| 18 | 192.168.56.2 | 192.168.56.1 | 22 | 2644 | tcp
| 24 | 6 | 984 | 2010-08-16 20:05:00 | 2010-08-16 20:33:13 |
| 19 | 192.168.56.1 | 192.168.56.2 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:13 |
| 20 | 192.168.56.2 | 192.168.56.1 | 0 | 0 | icmp
| 0 | 1 | 60 | 2010-08-16 20:05:00 | 2010-08-16 20:33:13 |
+----+--------------+--------------+----------+----------+----------+-----------+---------+-------+---------------------+---------------------+
20 rows in set (0.00 sec)
PROBLEM:
Why in some records number of packets are more than one?
Kind regards
Borys
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
