Chris, Thanks a lot for your reply.
Yes, I see droppped packets: kill -SIGUSR1 26485 Nov 12 11:09:54 Deb-Bridge pmacctd[26485]: eth1: (1194883794) 1456262960 packets received by filter Nov 12 11:09:54 Deb-Bridge pmacctd[26485]: eth1: (1194883794) 225517399 packets dropped by kernel Besides of tying pmacct to the iptables QUEUE, do you know of any other solution? Regards, Mario Antonio ----- Original Message ----- From: "Chris Wilson" <[EMAIL PROTECTED]> To: "Mario Antonio Garcia" <[EMAIL PROTECTED]>, [email protected] Sent: Monday, November 5, 2007 5:57:12 AM (GMT-0500) America/New_York Subject: Re: [pmacct-discussion] Accounting accuracy Hi Mario, On Fri, 2 Nov 2007, Mario Antonio Garcia wrote: > To verify if pmacct is storing/keeping track of data accurately, I send > a large file and measure transfered bandwidth using three softwares. So > far IPTABLES counters is more accurate than any software based on the > pcap library: > > Software IN OUT > IPTABLES 763400472 763280155 > IPFM 529312262 521032723 > PMACCT 754710867 635582251 > > The file that I sent across the bridge was 726,325,248 bytes IN/OUT in > around ~ 2 Minutes > > Here is my question: > What else should I adjust in order to get accuracy when using pmacct? > > I thought that with plugin_pipe_size: 50240000 , I had plenty of space > in the circular queue, so the core process could capture all the > packets. It's not only the queue between core and plugins that can overflow. BPF/pcap has a queue between kernel and user which can also get full and lose packets. You can probably get the info on the number of packets dropped by pcap by sending SIGUSR1 to pmacctd. If this is > 0, that might be the source of your problems. By the way, the iptables count is guaranteed to be accurate because no packet will be forwarded without going through that counter. None of the other counters are guaranteed that way. It would be possible to implement pmacct in such a way that it sits on an iptables QUEUE and measures every packet before allowing it to pass. If you want guaranteed 100% accuracy with flow measurement then that's the way to go, on Linux at least. Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
