Hello all
I'm trying to use pmacct on a bridge system with tagged and untagged
mixed traffic.
As results I'm able to obtain:
mysql> select * from flow;
+------+-----------+-----------+----------+----------+----------+---------+-------+---------------------+---------------------+
| vlan | ip_src | ip_dst | src_port | dst_port | ip_proto |
packets | bytes | stamp_inserted | stamp_updated |
+------+-----------+-----------+----------+----------+----------+---------+-------+---------------------+---------------------+
| 0 | 10.0.2.15 | 10.0.2.2 | 22 | 43519 | |
3 | 408 | 2013-05-08 13:39:06 | 2013-05-08 13:39:19 |
| 0 | 10.0.2.15 | 10.0.2.2 | 22 | 44516 | |
127 | 17016 | 2013-05-08 13:31:35 | 2013-05-08 13:39:05 |
| 0 | 10.0.2.15 | 10.0.2.2 | 22 | 44516 | |
40 | 6576 | 2013-05-08 13:39:06 | 2013-05-08 13:39:19 |
| 0 | 10.0.2.2 | 10.0.2.15 | 43519 | 22 | |
3 | 120 | 2013-05-08 13:39:06 | 2013-05-08 13:39:19 |
| 0 | 10.0.2.2 | 10.0.2.15 | 44516 | 22 | |
218 | 13136 | 2013-05-08 13:31:35 | 2013-05-08 13:39:05 |
| 0 | 10.0.2.2 | 10.0.2.15 | 44516 | 22 | |
67 | 4120 | 2013-05-08 13:39:06 | 2013-05-08 13:39:19 |
+------+-----------+-----------+----------+----------+----------+---------+-------+---------------------+---------------------+
6 rows in set (0.00 sec)
where the DB schema (v4 modified) is like this:
root@wheezy-test-pmacct:/etc/pmacct# cat pmacct-create-db_v4_vlan.mysql
drop database if exists pmacct;
create database pmacct;
use pmacct;
drop table if exists flow;
create table flow (
vlan INT(2) SIGNED NOT NULL DEFAULT '-1', -- -1 to differentiate
between tagged and untagged networks
ip_src CHAR(15) NOT NULL,
ip_dst CHAR(15) NOT NULL,
src_port INT(2) UNSIGNED NOT NULL,
dst_port INT(2) UNSIGNED NOT NULL,
ip_proto CHAR(6) NOT NULL,
packets INT UNSIGNED NOT NULL, -- not able to remove this field!!!
bytes BIGINT UNSIGNED NOT NULL, -- not able to remove this field!!!
stamp_inserted DATETIME NOT NULL,
stamp_updated DATETIME,
PRIMARY KEY (vlan, ip_src, ip_dst, src_port, dst_port, ip_proto,
stamp_inserted)
);
and the configuration used:
root@wheezy-test-pmacct:/etc/pmacct# cat pmacctd.conf
! pmacctd configuration
!
!
!
daemonize: true
pidfile: /var/run/pmacctd.pid
syslog: daemon
!
! interested in in and outbound traffic
aggregate: src_host,dst_host,src_port,dst_port,vlan,proto
! on this network
pcap_filter: ip or (vlan and ip)
! on this interface
interface: eth0
!
! storage methods
plugins: mysql
sql_db: pmacct
sql_user: ****
!sql_host: localhost
sql_passwd: ****
sql_table: flow
sql_table_schema: /etc/pmacct/pmacct-create-db_v4_vlan.sql
! refresh the db every minute
!sql_refresh_time: 60
! reduce the size of the insert/update clause
sql_optimize_clauses: true
! accumulate values in each row for up to an hour
sql_history: 1h
! create new rows on the second boundary
sql_history_roundoff: s
! in case of emergency, log to this file
!sql_recovery_logfile: /var/lib/pmacct/pmacctd_recovery_log
logfile: /var/log/pmacctd.log
Now my questions:
1) is possible to have a roundoff value as milliseconds?
2) it is possible to aggregate the rows belonging to the same long
connections, is there any timeout I can use?
3) why the ip_proto fields is always empty?
4) there is a way to fill -1 in the valn fields when a untagged packet
is found?
5) is possible to remove the packets and bytes fields from the DB schema?
6) can you suggest me keys to improve general performances
thank you for clarifying me these questions and pointing me to the right
direction
-vito
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
