VERSION.
0.9.1
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to measure,
account and aggregate IPv4 and IPv6 traffic; aggregation revolves around
the key concept of primitives (VLAN id, source and destination MAC
addresses, hosts, networks, ports, AS numbers, IP protocol and ToS/DSCP
field are supported) which may be arbitrarily combined to build custom
aggregation methods; support for historical data breakdown, triggers and
packet tagging, filtering, sampling. Aggregates can be stored into
memory tables, SQL databases (MySQL or PostgreSQL) or simply pushed to
stdout. Data is collected from the network either using libpcap (and
optionally promiscuous mode)or reading Netflow v1/v5/v7/v8/v9 and sFlow
v2/v4/v5 datagrams.
HOMEPAGE.
http://www.ba.cnr.it/~paolo/pmacct/
CHANGELOG.
+ Probabilistic, flow size dependent sampling has been introduced into
the 'sql_preprocess' tier via the new 'fss' keyword: it is computed
against the bytes counter and returns renormalized results. Aggregates
which have collected more than the 'fss' threshold in the last time
window are sampled. Those under the threshold are sampled with probability
p(bytes). For further details read the CONFIG-KEYS and the paper:
- N.G. Duffield, C. Lund, M. Thorup, "Charging from sampled network
usage", http://www.research.att.com/~duffield/pubs/DLT01-usage.pdf
+ Probabilistic sampling under hard resource constraints has been
introduced into the 'sql_preprocess' tier via the new 'fsrc' keyword:
it is computed against the bytes counter and returns renormalized
results. The method selects only 'fsrc' flows from the set of the
flows collected during the last time window, providing an unbiasied
estimate of the real bytes counter. For further details read the
CONFIG-KEYS and the paper:
- N.G. Duffield, C. Lund, M. Thorup, "Flow Sampling Under Hard Resource
Constraints",
http://www.research.att.com/~duffield/pubs/DLT03-constrained.pdf
+ A new 'networks_mask' configuration directive has been introduced: it
allows to specify a network mask - in bits - to be applied apply to
src_net and dst_net primitives. The mask is applied before evaluating
the content of 'networks_file' (if any).
+ Added a new signal handler for SIGUSR1 in pmacctd: a 'killall -USR1
pmacctd' now returns a few statistics via either console or syslog; the
syslog level reserved for such purpose is the NOTICE.
! sfacctd: an issue regarding non-IP packets has been fixed: some of them
(mainly ARPs) were incorrectly reported. Now they are properly filtered
out.
! A minor memory leak has been fixed; it was affecting running instances
of pmacctd, nfacctd and sfacctd with multiple plugins attached. Now
resources are properly recollected.
NOTES.
None.
Cheers,
Paolo
