Niklas Hofer
Tue, 09 Feb 2010 07:55:58 -0800
Hello my name is Niklas and I have been playing around with pmacctd and associates since one week. I want to monitor traffic in realtime (TM) with a web interface - all is going very well until I tried out my code on the production system.
It seems to me like sfacctd does have basic support for sFlow v2, but none of the aggregate_filters seem to work. My config is attached below. tried versions: 0.11.4-1 (ubuntu karmic), pmacct-0.12.0rc4 (manually compiled) The sFlow Agent: Foundry BigIron 4000 with JetCore (produces sFlow v2, will try to change if possible). <---snip---> plugins: memory[mem_in], memory[mem_out] ! Memory pmacctd_force_frag_handling: true sfacctd_renormalize: true aggregate[mem_in]: dst_host aggregate[mem_out]: src_host ! following net is the correct one, even tried 0.0.0.0/0 aggregate_filter[mem_in]: dst net 193.203.122.0/23 aggregate_filter[mem_out]: src net 193.203.122.0/23 !aggregate_filter[mem_out]: 2 > 1 ! ^^ this works (lets everything through) ^^ imt_path[mem_in]: shortened/tmp/sockets/pmacct_in.pipe imt_path[mem_out]: shortened/tmp/sockets/pmacct_out.pipe <---snap---> If I fake the sFlow packets with InMon_Agent-6.2/sflsp (produces sFlowv5 according to tcpdump), the filters and aggregates work fine. I I turn of the aggregate_filter[mem_out] (or replace it with a trivial expression), the all the traffic gets accounted. I also tried a global pcap_filter and an external file + pre_tag_filter. Same misbehaviour. Am I doing something wrong or am I missing something? sincerely Niklas -- _ o o | o > = o) /\ - = < (|/ | \|) \ (| | \ /) | (\ \ _ / / \ The game of life is a game of boomerangs. Our thoughts, deeds and words return to us sooner or later with astounding accuracy. _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists