pmacct is a powerful and versatile open-source network monitoring and analysis tool, designed to aggregate, filter, and dissect network traffic data. It supports a wide array of network protocols and technologies, including IPFIX and NetFlow, making it an invaluable asset for network administrators and analysts.
Running pmacct on macOS can be particularly beneficial for developers, IT professionals, and network hobbyists who prefer the macOS environment for its robustness and user-friendly interface. Whether for diagnosing network issues or conducting traffic analysis, pmacct offers a comprehensive suite of features that allows users to collect network traffic data efficiently. Its ability to integrate with nDPI for deep packet inspection further enhances its capabilities, enabling more detailed and accurate network traffic analysis.
Compiling pmacct with nDPI support on macOS involves several steps, as it requires you to install dependencies, download the pmacct and nDPI source code, and compile them. Below is a detailed guide to doing this. The process can be somewhat complex, so follow each step closely.
Prerequisites
Before you start, ensure you have Homebrew installed on your mac, as it will significantly simplify the installation of dependencies. You can install Homebrew by pasting the following command in a terminal:
1/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install Dependencies
pmacct and nDPI have several dependencies that need to be installed first. Open a terminal and run the following commands:
1brew install autoconf automake libtool pkg-config git gcc jq
This command installs the essential tools and libraries required for compiling software from source on macOS.
Install nDPI
First, you need to install nDPI, a component required for deep packet inspection:
1brew install ndpi
This command installs nDPI onto your system.
Download and Compile pmacct
After installing nDPI, proceed with compiling pmacct. Start by cloning the pmacct repository and checkout release 1.7.8:
1 2 3git clone https://github.com/pmacct/pmacct.git cd pmacct git checkout 1.7.8
Set C_INCLUDE_PATH and LIBRARY_PATH to point to the nDPI include files and libraries:
1 2export C_INCLUDE_PATH=/opt/homebrew/Cellar/ndpi/4.4/include export LIBRARY_PATH=/opt/homebrew/Cellar/ndpi/4.4/lib
Prepare pmacct for compilation:
1./autogen.sh
Configure pmacct with nDPI support:
1./configure --enable-ndpi
Compile and install pmacct:
1 2make sudo make install
After these steps, you will have pmacct with nDPI support compiled and ready to use on your macOS system.
Exporting IPFIX Records from pmacct
Create a configuration file named pmacctd.conf and add the following configuration:
1 2 3 4 5 6 7 8pcap_interface: en0 daemonize: false snaplen: 4096 aggregate: class,proto,tos,src_host,src_port,dst_host,dst_port,in_iface,out_iface,timestamp_start,timestamp_end plugins: nfprobe nfprobe_receiver: 127.0.0.1:4739 nfprobe_version: 10 nfprobe_timeouts: tcp=20:maxlife=20:tcp.fin=5:expint=5:udp=20:icmp=10:general=20:tcp.rst=5
On a mac en0 is usually the wi-fi interface. Change the value of nfprobe_receiver to the IP address and port on which your flow collector is listening. To use ElastiFlow as your flow analytics solution, you can follow the installation instructions here.
Run pmacct using this configuration file:
1sudo /usr/local/sbin/pmacctd -f /PATH/TO/pmacctd.conf
Try it for Yourself
This guide has laid down a detailed path, from setting up prerequisites to compiling pmacct and integrating it with nDPI, aimed at enhancing your network analysis capabilities with deep packet inspection. pmacct, coupled with nDPI and ElastiFlow, brings a nuanced understanding of network traffic, offering insights that are crucial for diagnosing issues, enhancing security, and optimizing network performance. The journey doesn't end here; it's a gateway to exploring the vast potential of network data analysis, right from the comfort of your macOS environment.
If you need help, join the ElastiFlow Slack Community or recently launched ElastiFlow Forum.