VERSION. 0.9.1
DESCRIPTION. pmacct is a small set of passive network monitoring tools to measure, account and aggregate IPv4 and IPv6 traffic; aggregation revolves around the key concept of primitives (VLAN id, source and destination MAC addresses, hosts, networks, ports, AS numbers, IP protocol and ToS/DSCP field are supported) which may be arbitrarily combined to build custom aggregation methods; support for historical data breakdown, triggers and packet tagging, filtering, sampling. Aggregates can be stored into memory tables, SQL databases (MySQL or PostgreSQL) or simply pushed to stdout. Data is collected from the network either using libpcap (and optionally promiscuous mode)or reading Netflow v1/v5/v7/v8/v9 and sFlow v2/v4/v5 datagrams. HOMEPAGE. http://www.ba.cnr.it/~paolo/pmacct/ CHANGELOG. + Probabilistic, flow size dependent sampling has been introduced into the 'sql_preprocess' tier via the new 'fss' keyword: it is computed against the bytes counter and returns renormalized results. Aggregates which have collected more than the 'fss' threshold in the last time window are sampled. Those under the threshold are sampled with probability p(bytes). For further details read the CONFIG-KEYS and the paper: - N.G. Duffield, C. Lund, M. Thorup, "Charging from sampled network usage", http://www.research.att.com/~duffield/pubs/DLT01-usage.pdf + Probabilistic sampling under hard resource constraints has been introduced into the 'sql_preprocess' tier via the new 'fsrc' keyword: it is computed against the bytes counter and returns renormalized results. The method selects only 'fsrc' flows from the set of the flows collected during the last time window, providing an unbiasied estimate of the real bytes counter. For further details read the CONFIG-KEYS and the paper: - N.G. Duffield, C. Lund, M. Thorup, "Flow Sampling Under Hard Resource Constraints", http://www.research.att.com/~duffield/pubs/DLT03-constrained.pdf + A new 'networks_mask' configuration directive has been introduced: it allows to specify a network mask - in bits - to be applied apply to src_net and dst_net primitives. The mask is applied before evaluating the content of 'networks_file' (if any). + Added a new signal handler for SIGUSR1 in pmacctd: a 'killall -USR1 pmacctd' now returns a few statistics via either console or syslog; the syslog level reserved for such purpose is the NOTICE. ! sfacctd: an issue regarding non-IP packets has been fixed: some of them (mainly ARPs) were incorrectly reported. Now they are properly filtered out. ! A minor memory leak has been fixed; it was affecting running instances of pmacctd, nfacctd and sfacctd with multiple plugins attached. Now resources are properly recollected. NOTES. None. Cheers, Paolo