Hi Paolo and all,
Hope this is right place to post my question.
For recording flow’s corresponding timestamp I use sql_history primitive and
my sfacctd.conf looks like:
……
sql_dont_try_update: true
sql_history: 1m
!ql_history_roundoff: mh
…..
The sql data I got
mysql select * from
Hi Paolo,
I have correct timestamp_start value and I will disable sql_history.
In latest trail I found I missed aggregate 'timestamp_end'.
But I noticed a weird thing that my timestamp_end was wrong:
I also checked the post @2013. It seems ' timestamp_end' aggregate was already
done. Do you
Hi Paolo and all,
In my network environment there is 1 netflow device and 3 sflow devices. I've
been told there's only sflow devices in our data-center. This netflow device
is a surprise to me.
Can sfacctd and nfacctd listen on the same port? (in my use case it's port
'')?? In
Hi Scott and Paolo,
May I ask a question per your good experience?
What is the performance difference between using string ipv4 and integer
ipv4? And potential impact?
I have a PC running sfacctd that collects 2 giga-switches. And it collects
around 5M records into mysql per day.
Hi Paolo and Scott,
Your discussion pointed out an important issue - what is the proper design
when it comes to high frequently IP-based queries?
Inspired by this thread, my idea is to use postgresql and count on its
cidr/inet function. (I am using mysql and store ipv4 as string(15))
Hi Paolo and all,
Per previous discussion I know sfacctd and nfacctd must listen to separate
port.
With more experience , I realized in data-center there is usually sflow /
netflow devices existing in the same time.
In my case ,most important machines are connected by 2 firewall/router
Hi all,
I use following primary key in both sfacctd and nfacctd sql table.
-PRIMARY
KEY(mac_src,mac_dst,ip_src,ip_dst,port_src,port_dst,ip_proto,timestamp_start,timestamp_start_residual
)
It works well on sfacctd’s sql table but failed on nfacctd with following
error message:
-INSERT INTO
Hi guys,
I found the usage of sql_history_roundoff in document. Sorry for interrupting
you with the simple one.
But I appreciate for your comments on other questions based on your field
experience. Thanks.
TC
From: 吳天健
Sent: Tuesday, October 21, 2014 8:18 PM
To:
Hi Chris,
I guess the issue happened during static build. It seems be a common problem
of libpcap. I experienced this issue in other project using libpcap.
Glad to see you workaround it.
Best wishes,
TC
-Original Message-
From: pmacct-discussion
Hi Paolo,
I would say sflow-netflow translation would be valuable according to my
field experience.
Reason: the nature of sflow is sampling the packet and forward the info to
backend (i.e. sflow collector) ASAP. This causes at least ten times of SQL
rows and thus, more than ten times of
In my environment setting nfacctd_time_new to true works better because
sometimes router/firewall clocks seems not synchronized. Routers and firewalls
are managed by another group of people so that I never chance to find out the
clock issue. Using collector's clock is much better in this
Thank you , Paolo.
Also, I would like to say I appreciate the result of pmacct project per this
mail. Its flexibility and reliability fits in our lab (and other network as I
believe).
TC Wu
-Original Message-
From: pmacct-discussion [mailto:pmacct-discussion-boun...@pmacct.net] On
Hi Paolo,
I have to collect aglow and nflow , after consideration I assign sflow to port
999 and nflow to port 997.
But in this thread I have a 2nd thought that I can assign both sflow and nflow
to a single port listen by libcap app. Is this a good approach ? Any risk ,like
packet drop?
I've
Hi Paolo,
Is there potential risk, such as packet lost to implement a daemon (or modify
pmacct) listen to both Netflow and sflow and split them? Libcap is known of
packet drop when CPU low (I might be wrong for that community keep improving).
Sent from my ASUS
原始郵件
寄件者:Paolo
My coworker, an IT guy in operation team, once proposed to set all router,
including sflow and nflow equipments, to a single port on a single collector.
In the end we setup sfacctd listen on a port and nfacctd on the other. But I
am wondering if it's possible to fulfill previous requirement?
I think UPD proxy will work , cause I have ever observed that sfacctd skipped
nflow packet and only record sflow packets if all routers send to the same
collector same port. (but you'll see a lot of 'parsing header...not a sflow
packet' similar errors in log)
A even better way is to implement
1 on 1 ratio is a crisis to database in busy data center. You'll need to define
a level of granularity . And yes sampling_rate is for that purpose.
Sent from my ASUS
原始郵件
寄件者:Paul Lockaby
傳送日期:Sat, 20 Feb 2016 11:46:02 +0800
收件者:pmacct-discussion@pmacct.net
Hi Robert,
Though I was using psql , but some experience of debugging here. Would you
check the sql log?
You might see access error, write error in sql log , or nothing.
Either way it points to unsuccessfully write or something else.
從: pmacct-discussion
The IT team was using a commercial product , called 'nreporter' , that can
collect all flow protocol in single port.
This is a nice feature because not all of IT member understand varieties of
flow protocols of varieties router.
The plan was to replace the commercial collector and keep router
19 matches
Mail list logo