Hi all:
Just started using pmacct (0.11.5) this evening on a Centos 4.5
machine. I wanted to aggregate a number of internal networks together
while retaining individual host stats for hosts that aren't in one of
those networks.
So I set up a couple of plugins using:
plugins: ... memory[network_out], memory[network_in], ...
aggregate[network_out]: dst_net
aggregate_filter[network_out]: src net 192.168.7.0/24
imt_path[network_out]: /tmp/collect.out.network_out
aggregate[network_in]: src_net
aggregate_filter[network_in]: dst net 192.168.7.0/24
imt_path[network_in]: /tmp/collect.out.network_in
and a networks_file of:
192.168.0.0/24
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.5.0/24
192.168.7.0/24
192.168.9.0/24
192.168.12.0/24
0.0.0.0/0
Which I expected would give me aggregates of traffic from all hosts
going from/to 192.168.{0,1,2,3,5,7,9,12}.0/24. I added the 0.0.0.0/0
at the bottom to provide a match all rule that I hoped would allow
traffic between say 192.168.10.2 to 192.168.7.2 to show up as (using
./pmacct -p /tmp/collect.out.network_out -s):
SRC_IP PACKETS BYTES
192.168.2.0 705 425768
192.168.12.0 111 62270
192.168.5.0 138 69736
192.168.7.0 228 32400
192.168.9.0 5 334
192.168.10.2 283 329108 <--- not specified in networks
192.168.0.0 1297 1094590
but instead I see:
SRC_IP PACKETS BYTES
192.168.2.0 705 425768
192.168.12.0 111 62270
192.168.5.0 138 69736
192.168.7.0 228 32400
192.168.9.0 5 334
0.0.0.0 283 329108
192.168.0.0 1297 1094590
I understand that the literal interpretation of 0.0.0.0/0 would result
in a host entry for 0.0.0.0 since (any IP & 0) would match, but it
seems that allowing a specification of 0.0.0.0/0 or some other unique
netmask/ip (maybe 255.255.255.255/0) to permit mapping unmapped IP's
to themselves rather than to 0.0.0.0 would be a useful addition.
(Arguably, the user should have to specify 0.0.0.0/0 if they want all
unknown networks mapped to 0.0.0.0, but it's too late to change that
now.)
How does the "networks_mask" keyword work?
KEY: networks_mask
DESC: specifies the network mask - in bits - to apply to IP address
values in L3 header. The mask is applied sistematically and
(systematically btw)
before evaluating the 'networks_file' content (if any is
specified).
This doesn't really tell me how it is applied, and there are no
matches for networks_mask in the docs directory. If I was to set that
to 32, would I get what I want? Does it set the default "network" for
a host using the networks_mask and a more specific mask can be set in
the networks_file? Hmm, just tried setting that to /24 to see if I got
a 192.168.10.0 entry in the output above and I didn't so I am truly
confused as to what this keyword does.
Also how are the matches determined in the networks file when there
are overlapping networks? The first match listed in the file? The most
specific match?
Given the networks_file:
192.168.10.0/24
192.168.10.0/25
Would the ip 192.168.10.2 be counted as part of the /24 or /25 net?
While I was playing with the configuration, I wanted to change the
network that the pmacctd as listening to. With a config file that has:
interface: eth1
in it, I can specify 'pmacctd -f config -i eth0', and it looks like it
uses eth0 as the interface. Which is desirable and what I would
expect. How do I disable the specification of a networks_file? Using
'pmacctd -f config -n /dev/null' doesn't undo the effects of the
networks_file specification. If I specify a null file "-n '' ", I get
ERROR: network file '' not found.
Is using 'pmacctd -C' supposed to cause the daemon to exit if there is
no "classifiers" keyword in the config file?
Also for the -c aggregation strings, are the sum_ selectors supposed
to act like a 'host' keyword in a filter spec?
And while I am at it, it would be nice to allow:
pmacct -c src_net -N '192.168.0.0/22'
so that CIDR or netmasks could be used to select networks to report
on.
Thanks to the author for developing what I hope will be a useful tool.
--
-- rouilj
John Rouillard
System Administrator
Renesys Corporation
603-244-9084 (cell)
603-643-9300 x 111
LocalWords: pmacct
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
