bump ...
On 2/26/2013 2:39 PM, paul dial wrote:
Hi Paolo,
I self compiled pmacct--0.14.2 with just one flag --enable-threads. The
same nfacctd.conf file as listed previously in this thread was used and
the bgp feed has a different source IP address than the netflow feed,
here is what I found:
1) nfacctd.conf with bgp_agent_map configured. nfacctd shuts down as
before because no more plugins active Here is the debug output:
==
Feb 26 12:42:25 nfacctd[2281]: INFO ( default/core ): Start logging ...
Feb 26 12:42:25 nfacctd[2281]: INFO ( default/core ): Trying to
(re)load map: /etc/pmacct/agent.map
Feb 26 12:42:25 nfacctd[2281]: INFO ( default/core ): map
'/etc/pmacct/agent.map' successfully (re)loaded.
Feb 26 12:42:25 nfacctd[2281]: INFO ( default/core/BGP ): maximum BGP
peers allowed: 100
Feb 26 12:42:25 nfacctd[2281]: INFO ( default/core/BGP ): waiting for
BGP data on 192.43.217.2:179
Feb 26 12:42:30 nfacctd[2281]: INFO ( ucar_in/memory ): 112640 bytes
are available to address shared memory segment; buffer size is 148 bytes.
Feb 26 12:42:30 nfacctd[2281]: INFO ( ucar_in/memory ): Trying to
allocate a shared memory segment of 4167680 bytes.
Feb 26 12:42:30 nfacctd[2281]: INFO ( ucar_out/memory ): 112640 bytes
are available to address shared memory segment; buffer size is 148 bytes.
Feb 26 12:42:30 nfacctd[2281]: INFO ( ucar_out/memory ): Trying to
allocate a shared memory segment of 4167680 bytes.
Feb 26 12:42:30 nfacctd[2283]: OK ( ucar_in/memory ): waiting for data
on: '/tmp/pmacct_in.pipe'
Feb 26 12:42:30 nfacctd[2284]: OK ( ucar_out/memory ): waiting for data
on: '/tmp/pmacct_out.pipe'
Feb 26 12:42:30 nfacctd[2281]: INFO ( default/core ): waiting for
NetFlow data on 0.0.0.0:9992
Feb 26 12:42:34 nfacctd[2281]: INFO: connection lost to
'ucar_in-memory'; closing connection.
Feb 26 12:42:34 nfacctd[2281]: INFO: connection lost to
'ucar_out-memory'; closing connection.
Feb 26 12:42:34 nfacctd[2281]: INFO: no more plugins active. Shutting down.
2) nfacctd.conf without bgp_agent_map. nfacctd runs and establishes a
bgp session. The memory plug-in shows only one entry with an AS of
'0'. This is expected because the source IP address of the bgp feed and
the source IP address of the netflow feed are different.
3) If I front end pmacct with a program that allows me to spoof the
source IP address of the netflow packets before sending them to pmacct
on udp port 9992, and I set that IP address to the same as the source IP
address of the bgp feed (verified both using tcpdump), nfacctd runs,
but no data is ever returned to the memory plugin, only the column
titles appear: SRC|DST_AS PACKETS BYTES . Note that the
bgp_agent_map configuration directive was NOT active. here is the
debug output:
Feb 26 13:11:48 nfacctd[3937]: INFO ( default/core ): Start logging ...
Feb 26 13:11:48 nfacctd[3937]: INFO ( default/core/BGP ): maximum BGP
peers allowed: 100
Feb 26 13:11:48 nfacctd[3937]: INFO ( default/core/BGP ): waiting for
BGP data on 192.43.217.2:179
Feb 26 13:11:53 nfacctd[3937]: INFO ( ucar_in/memory ): 112640 bytes
are available to address shared memory segment; buffer size is 148 bytes.
Feb 26 13:11:53 nfacctd[3937]: INFO ( ucar_in/memory ): Trying to
allocate a shared memory segment of 4167680 bytes.
Feb 26 13:11:53 nfacctd[3937]: INFO ( ucar_out/memory ): 112640 bytes
are available to address shared memory segment; buffer size is 148 bytes.
Feb 26 13:11:53 nfacctd[3937]: INFO ( ucar_out/memory ): Trying to
allocate a shared memory segment of 4167680 bytes.
Feb 26 13:11:53 nfacctd[3939]: OK ( ucar_in/memory ): waiting for data
on: '/tmp/pmacct_in.pipe'
Feb 26 13:11:53 nfacctd[3937]: INFO ( default/core ): waiting for
NetFlow data on 0.0.0.0:9992
Feb 26 13:11:53 nfacctd[3940]: OK ( ucar_out/memory ): waiting for data
on: '/tmp/pmacct_out.pipe'
Feb 26 13:12:09 nfacctd[3937]: INFO ( default/core/BGP ): BGP peers
usage: 1/100
Not sure if this information sheds any light on the problem?
Thanks!
--paul
On 2/25/2013 12:39 PM, Paolo Lucente wrote:
Hi Paul,
Perfectly agree with your thoughts around the aggregation method and
memory required. Can you please download a tarball from the website,
self-compile and give it a try to that one? Can't really say whether
the issue might be with the debian package. If that does not lead to
anything then it would be good if i can have a brief look myself to
the issue for some debugging. Let me know.
Cheers,
Paolo
On Mon, Feb 25, 2013 at 11:36:21AM -0700, paul dial wrote:
Hi Paolo,
Based on my understanding of pmacct, and the nfacctd configuration
directives being used, I have defined two memory tables: