This is a simple, quick-and-dirty, copy/paste guide to install a great software, pmacct, on a fresh Ubuntu 14.04.1 LTS (Trusty Tahr) setup. I’ll use this simple setup as the basis for other related posts I plan to publish soon.
Tl;dr: pmacct is a suite of tools to collect, filter and aggregate IP accounting data, which works with live traffic (libpcap), NetFlow v1/v5/v7/v8/v9, IPFIX, sFlow and ULOG.
A blog post is not enough to show the great features and possibilities that this tool offers, so I really recommend whoever may be interested to read author’s documentation on the official web site.
On a next post I plan to show some ideas to deploy pmacct together with ElasticSearch and Kibana, in order to build useful dashboards full of graphs. Add my RSS feed to your reader or follow me on Twitter to stay updated!
EDIT: the Integration of pmacct with ElasticSearch and Kibana post has been published.
Let’s start from a really simple setup here.
Compilation and installation
Since the Ubuntu packaged version is quite old (0.14.0) I preferred to download and compile the latest release from the official web site (1.5.0 at the time of writing):
# cd /usr/local/src/ # curl -O http://www.pmacct.net/pmacct-1.5.0.tar.gz # tar -zxvf pmacct-1.5.0.tar.gz # cd pmacct-1.5.0/
pmacct depends on libpcap, and because we also want to use JSON for the output (we will see why in another post), we need to install the following libraries:
# apt-get install libjansson-dev libpcap-dev make
Now, configure, make and install the program:
# ./configure --enable-ipv6 --enable-jansson # make # make check # make install
(in case of compilation problems, add the –enable-relax option to ./configure)
# ./configure --enable-ipv6 --enable-jansson --enable-relax
The INSTALL file provided along with the source code may offer additional details.
When done, if other options have not been modified, we can find the client program in /usr/local/bin/ and the daemons in /usr/local/sbin/:
# whereis pmacct pmacct: /usr/local/bin/pmacct # whereis pmacctd pmacctd: /usr/local/sbin/pmacctd # whereis nfacctd nfacctd: /usr/local/sbin/nfacctd
pmacct needs and creates some files, so I decided to use the following directories for them:
# mkdir /etc/pmacct # for configuration files # mkdir /var/run/pmacct # for PID files # mkdir /var/spool/pmacct # for plugins pipes # mkdir /var/lib/pmacct # for plugins output
Now, the installation is complete and some configurations are needed to make it work.
In this post I show only a really simple configuration based on pmacctd, the daemon which uses libpcap to collect live traffic from a NIC: similar configurations may be used for the other daemons too and for more useful scenarios, for example to acquire NetFlow data (nfacctd) or sFlow packets (sfacctd), merge them with BGP routing table information and build traffic engineering reports: the basic principle is that a daemon collects accounting data while its plugins process and aggregate them and, finally, produce output results.
That said, a quick-and-dirty approach is to build a really simple configuration and save it to /etc/pmacct/pmacctd.conf; here it is:
syslog: daemon promisc: true interface: eth0 imt_mem_pools_number: 0 plugins: memory[plugin1] imt_path[plugin1]: /var/spool/pmacct/plugin1.pipe aggregate[plugin1]: src_host, src_port, dst_host, dst_port
This configuration allows pmacctd to enters promiscuous mode on eth0 and store data in an in-memory-table (imt), taking into account only source host:port and destination host:port. Since the imt_mem_pools_number key is set to zero, pmacctd will continue to allocate memory in order to store its output, so it’s important to periodically empty it (below we’ll see how).
Run it (-D option is used to daemonize it)…
# pmacctd -f /etc/pmacct/pmacctd.conf -D
… and wait some seconds (and some network traffic), then query the in-memory-table using the pmacct client:
# pmacct -p /var/spool/pmacct/plugin1.pipe -s SRC_IP DST_IP SRC_PORT DST_PORT PACKETS BYTES 172.16.1.195 172.16.1.15 22 59635 13 1396 172.16.1.15 10.0.0.100 59693 443 1 41 192.168.0.1 172.16.1.30 443 52901 3 220 [...]
Network traffic captured on eth0 will be aggregated on the basis of src host / dst host / src port / dst port and counters will be shown.
To empty the in-memory-table, add the -e option:
# pmacct -p /var/spool/pmacct/plugin1.pipe -s -e
To add some details to the output we can add two additional fields to the aggregate, etype (Ethernet Ethertype) and proto (IP protocol); so edit the /etc/pmacct/pmacctd.conf file and change the aggregate[plugin1] key:
aggregate[plugin1]: etype, proto, src_host, src_port, dst_host, dst_port
When done, kill and restart the daemon…
killall -INT pmacctd -w ; pmacctd -f /etc/pmacct/pmacctd.conf -D
… wait some seconds, then run the client again to show the new output:
# pmacct -p /var/spool/pmacct/plugin1.pipe -s -e ETYPE SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS BYTES 86dd 2001:DB8::A 2001:DB8::B 60129 80 tcp 3 1468 800 172.16.1.15 172.16.1.195 53384 22 tcp 3 204 [...]
Now the testbed is ready for playing with pmacct! The official documentation page is full of intriguing presentations and examples from which to take inspiration.
/etc/init.d System V initscript
In order to manage pmacct daemons I’ve built an init.d script: you can find it on my GitHub page. If you need and like it, you can install it (please read how it works in the comments) and use update-rc.d to install links to automatically start/stop daemons in your system:
# cd /etc/init.d # curl -O https://raw.githubusercontent.com/pierky/pmacct-initscript/master/pmacct # chmod a+x pmacct # update-rc.d pmacct defaults
Feel free to edit/share/ignore it!
When finished playing with pmacct, if you are still using a configuration with imt_mem_pools_number: 0 remember to kill the daemon or be sure you have a client consuming its results, otherwise memory will be filled up!
Latest posts by Pier Carlo Chiodi (see all)
- Route server feature-rich and automatic configuration - 13 February 2017
- Large BGP Communities playground - 15 September 2016
- RFC7050 (DNS64 prefix via ipv4only.arpa) on RIPE Atlas probes - 9 March 2016