Hi Johannes, The issue is persistent across reloads, correct?
Enable debug only for the plugin, ie. "debug[TMPflowSRC]: true", then check the log file to see if the problem is somehow with the database. If log is clear, meaning no entries are written out, i'd recommend to remove anything that can be potentially filtering so: aggregate_filter, networks_file and ports_file: see if this changes anything. Let's take it from there. Cheers, Paolo On Tue, Apr 08, 2014 at 05:50:50PM +0200, Johannes Formann wrote: > Hi, > > I have a strange problem again. I already tested the newest CVS version but > it persists: > > I use four aggregates: > - inbound: incoming traffic for local IPs > - outbound: outgoing traffic for local ips > - TMPflowSRC: short time local outgoing udp traffic (with a short port list) > - TMPflowDST: short time udp traffic (after destination address) to be able > to identify potential outgoing ddos > > Everything worked fine for some time but today I found that TMPflowSRC > accounts almost no traffic anymore and if its accounts mostly IPv6 addresses. > Sadly in this network IPv6 traffic is less than 4% so there must be some > fault in my configuration. > > With debug enabled the initialization of the three aggregates with a network > filter looks identical, so there shouldn’t be the problem. > commenting out the port-List didn’t help either. > > My configuration: > > ! pmacctd configuration > ! > ! > ! > daemonize: true > pidfile: /var/run/pmacctd.pid > syslog: daemon > ! > aggregate[inbound]: dst_host > aggregate[outbound]: src_host,proto > aggregate[TMPflowSRC]: src_host,src_port,proto > aggregate[TMPflowDST]: dst_host,proto > aggregate_filter[TMPflowSRC]: udp > aggregate_filter[TMPflowDST]: udp > plugins: mysql[inbound], mysql[outbound], mysql[TMPflowSRC], mysql[TMPflowDST] > sql_table[inbound]: acct_%Y_%m_in > sql_table[outbound]: acct_%Y_%m_out > sql_table[TMPflowSRC]: acct_TMPflowSRC > sql_table[TMPflowDST]: acct_TMPflowDST > sql_table_schema[inbound]: /etc/pmacct/inbound.schema > sql_table_schema[outbound]: /etc/pmacct/outbound.schema > networks_file[inbound]: /etc/pmacct/networks > networks_file[outbound]: /etc/pmacct/networks > networks_file[TMPflowSRC]: /etc/pmacct/networks > ports_file[TMPflowSRC]: /etc/pmacct/portsudp > > networks_file_filter: true > > interface: eth0 > > ! storage methods > sql_db: pmacct > sql_table_version: 4 > sql_passwd: <secret> > sql_user: pmacct > sql_refresh_time: 60 > sql_optimize_clauses: true > sql_history: 1m > sql_history_roundoff: m > sql_multi_values: 12000000 > sql_cache_entries: 64000 > > pmacctd_flow_buffer_buckets: 4096 > > sql_dont_try_update: true > > plugin_buffer_size: 163840 > plugin_pipe_size: 40960000 > > Any ideas where to look? > > greetings > > Johannes > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
