Discussion:
[pmacct-discussion] Can pmacctd track and group flows around a detected common destination port?
Hiep Huynh
2016-11-01 15:00:27 UTC
Permalink
Greetings Paolo,


Currently, pmacctd reports traffic going each direction as follows when aggregating on src_host, dst_host, src_port, dst_port, and protocol:

SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS BYTES

10.0.22.19 10.0.22.163 55932 18051 tcp 2 1445

10.0.22.163 10.0.22.19 18051 55932 tcp 1 1371

10.0.22.19 10.0.22.163 55933 18051 tcp 4 6904

10.0.22.163 10.0.22.19 18051 55933 tcp 1 290




We can see that 10.0.22.19 is a client that's opening random ports in order to communicate to the same service port (18051) on 10.0.22.163. The service on 18051 responds in return resulting in traffic going the opposite direction. My DESIRED RESULT would be the summation of all traffic involving a detected common destination port (in this case 18051):

SRC_IP DST_IP DST_PORT PROTOCOL PACKETS BYTES

10.0.22.19 10.0.22.163 18051 tcp 8 10010


If I omit src_port then aggregate only on src_host, dst_host, dst_port, and protocol, I get the following output that has two extra rows that I would like to be summed into the first row:

SRC_IP DST_IP DST_PORT PROTOCOL PACKETS BYTES

10.0.22.19 10.0.22.163 18051 tcp 6 8349

10.0.22.163 10.0.22.19 55932 tcp 1 1371

10.0.22.163 10.0.22.19 55933 tcp 1 290


Is there a way for pmacctd to track the traffic and group the flows to produce an aggregate like my desired result? Can anyone suggest how this can be accomplished WITHIN pmacctd using any combination of config keys/directives like aggregate, pcap_filter, aggregate_filters, etc...?



Grazie!
Paolo Lucente
2016-11-02 01:05:03 UTC
Permalink
Hi Hiep,

sum_port may somehow come to the rescue but ymmv with it; it may very
well start doing sums for all ports, ie. 18051, 55932, 55933, etc. So
18051 will contain your 8 packets but then, unless port 18051 is
meaningful to you, so that you can trash all the rest (on query), it may
lead to problems, ie. over-counting of traffic if you ever dare doing
totals. Most probably you are looking for an ad-hoc feature for this -
for which i'd be looking for some extra information, ie. how to do the
grouping? by volume? by filtering? etc., that we can exchange 1:1.

Cheers,
Paolo
Post by Hiep Huynh
Greetings Paolo,
SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS BYTES
10.0.22.19 10.0.22.163 55932 18051 tcp 2 1445
10.0.22.163 10.0.22.19 18051 55932 tcp 1 1371
10.0.22.19 10.0.22.163 55933 18051 tcp 4 6904
10.0.22.163 10.0.22.19 18051 55933 tcp 1 290
SRC_IP DST_IP DST_PORT PROTOCOL PACKETS BYTES
10.0.22.19 10.0.22.163 18051 tcp 8 10010
SRC_IP DST_IP DST_PORT PROTOCOL PACKETS BYTES
10.0.22.19 10.0.22.163 18051 tcp 6 8349
10.0.22.163 10.0.22.19 55932 tcp 1 1371
10.0.22.163 10.0.22.19 55933 tcp 1 290
Is there a way for pmacctd to track the traffic and group the flows to produce an aggregate like my desired result? Can anyone suggest how this can be accomplished WITHIN pmacctd using any combination of config keys/directives like aggregate, pcap_filter, aggregate_filters, etc...?
Grazie!
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Loading...