pmacct (Promiscuous mode IP Accounting package)
pmacct is Copyright (C) 2004 by Paolo Lucente

A brief preamble: this FAQ document is pretty young and fresh. This is because you
should don't expect to find all needed answers here. It will gradually gets filled.
Now, given the extensive overview and description already present on pmacct homepage,
i'll avoid to duplicate them here.

Q: Hey boy, ok, funny preamble. What is pmacct project homepage ?
A: It's http://www.ba.cnr.it/~paolo/pmacct/ . Currently, there is any official mirror
   site. 

Q: What is the best way to kill a running instance of pmacctd avoiding data loss ? 
A: The right way to do it, is to send a SIGINT to all running pmacctd processes, for
   example via a 'killall -INT pmacctd'. pmacctd core process will ignore it; IMT
   plugin will simply take the exit lane. SQL plugins will flush their cached data
   to DB and then will exit. As soon as the core process will see itself alone, it
   will shutdown nicely.

Q: I wish to account all traffic of my network but i'm not interested in having the
   DB polluted with data about external hosts. Do i need to run two pmacctd instances
   each accounting either sources or destinations and each with its ad hoc libpcap
   filter ? 
A: No, as of version 0.6.3 you will be able to run a single instance of pmacctd with
   multiple plugins, taking rid of both plugin names and aggregation filters. A sample
   configuration is the following:

   ...
   aggregate[inbound]: dst_host
   aggregate[outbound]: src_host
   aggregate_filter[inbound]: dst net 192.168.0.0/16
   aggregate_filter[outbound]: src net 192.168.0.0/16
   plugins: mysql[inbound], mysql[outbound]
   sql_table:[inbound]: acct_in 
   sql_table:[outbound]: acct_out 
   ... 

   It will account all traffic directed to your hosts in 'acct_in' table and all traffic
   they generate in 'acct_out' table. Then you will need only to play around with basic
   SQL queries to extract meaningful totals. 

/* EOF */
