I've set promisc to false (I just need local traffic passing through
eth0) but traffic still gets accounted twice.
Below is my conf:
===
debug: false
interface: eth0
daemonize: true
promisc: false
sql_db: bwstat
sql_table: acct
sql_table_version: 1
sql_passwd: ***
sql_user: ***
sql_refresh_time: 60
sql_history: 1h
sql_history_roundoff: mh
aggregate[in]: dst_host
aggregate[out]: src_host
aggregate_filter[in]: dst net 217.19x.xxx.0/24
aggregate_filter[out]: src net 217.19x.xxx.0/24
plugins: mysql[in], mysql[out]
===
I've listened to your advice and tried a tcpdump on eth0. The results
are not satisfactory.
===
00:31:56.734917 IP 127-0xxx.dk.ircd
a91-153-5-49.elisa-laajakaista.fi.1465: . ack 21 win 2814
00:31:56.735023 IP 127-0xxx.dk.ircd
a91-153-5-49.elisa-laajakaista.fi.1465: . ack 21 win 2814
00:31:56.782449 IP 127-0xxx.dk.ssh 221.10.254.205.50638: P 1:42(41)
ack 1 win 5792 nop,nop,timestamp 116365432 508437179
00:31:56.782461 IP 127-0xxx.dk.ssh 221.10.254.205.50638: P 1:42(41)
ack 1 win 5792 nop,nop,timestamp 116365432 508437179
00:31:56.812521 IP ns1.xxx.bz.domain dns1-khk.cybercity.dk.8141:
29003* 1/2/0 A web01.mcn.dk (89)
00:31:56.812627 IP ns1.xxx.bz.domain dns1-khk.cybercity.dk.8141:
29003* 1/2/0 A web01.mcn.dk (89)
00:31:56.833381 IP web01.xxx.dk.www
port438.ds1-khk.adsl.cybercity.dk.10356: S 4090883955:4090883955(0) ack
1171249356 win 5840 mss 1460,nop,nop,sackOK
00:31:56.833388 IP web01.xxx.dk.www
port438.ds1-khk.adsl.cybercity.dk.10356: S 4090883955:4090883955(0) ack
1171249356 win 5840 mss 1460,nop,nop,sackOK
00:31:56.846862 IP port438.ds1-khk.adsl.cybercity.dk.10356
web01.xxx.dk.www: . ack 1 win 65535
00:31:56.858354 IP port438.ds1-khk.adsl.cybercity.dk.10356
web01.xxx.dk.www: P 1:394(393) ack 1 win 65535
00:31:56.859943 IP web01.xxx.dk.www
port438.ds1-khk.adsl.cybercity.dk.10356: . ack 394 win 6432
00:31:56.859951 IP web01.xxx.dk.www
port438.ds1-khk.adsl.cybercity.dk.10356: . ack 394 win 6432
===
As you can see... some of the entries (not all of them) are doubled.
Any ideeas?
Andrei Neagoe
Sales Network Engineer
SC Top Edge Engineering SRL
Addr: Str. Calea Bucuresti, Bl. M18b, Craiova, 200529, Romania
Tel: 0251-413193 (int. 18)
Fax: 0251-413977
Mobile: 0721-092929
Paolo Lucente wrote:
Hi Andrei,
the most immediate suggestion i can give you is to tap either tcpdump
or ethereal on the eth0 and see which traffic the libpcap library is
effectively returning; also, try playing with the 'promisc' directive
(which defaults to true) - as my understanding is that you are sniffing
traffic passing through the interface. Unless you are using some more
complex pmacct configuration (ie. multiple SQL plugins that might be
writing to the same table), the above suggestions should return some
meaningful answer. Otherwise, post your configuration here.
Let me know.
Cheers,
Paolo
On Fri, Apr 13, 2007 at 10:46:52PM +0300, Andrei Neagoe wrote:
I've just setup pmacct on a box that has a vmware server on it. The
objective is to account each jail traffic.
Basicaly, there is one routed ip address on the server and every vmware
jail bridges the traffic through eth0 (the only active interface on the
server).
Problem is, that if I transfer a fixed amount of data from one of the
jails to the internet, that traffic is accounted twice. (ie. 4 mb upload
is accounted as 8 mb upload).
I must be missing something, but can't figure out what... Can someone
point me in the right direction?
--
Andrei Neagoe
Sales Network Engineer
SC Top Edge Engineering SRL
Addr: Str. Calea Bucuresti, Bl. M18b, Craiova, 200529, Romania
Tel: 0251-413193 (int. 18)
Fax: 0251-413977
Mobile: 0721-092929
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
