Hi,
Chris Wilson a écrit : > Hi Mitch, > > On Wed, 28 Jan 2009, Mitch Pope wrote: > > >> I really hope one of you can help, we're absolutely dieing with this >> problem. We're an ISP and we run pmacct on a dedicated server that >> connects to a distribution switch on the edge of our network. We use >> pmacct strictly for data traffic usage reporting and customer billing. >> >> The dedicated server is connected to a span port on the switch that >> mirror's all traffic going via the uplink to the next hop router, >> running in promiscuous mode and writing everything to a MySQL database. >> >> Most of the time the traffic is accurate, but on average 1 or 2 days >> each month it'll go completely crazy and show far more traffic inbound >> and outbound for almost every one of our IP addresses. Whatever causes >> this to happen is an instantaneous thing as we've been able to confirm >> it happens inside a 1 hour period looking at hourly traffic break downs. >> >> It also seems to be greatly influenced by the amount of genuine traffic, >> the busier the server the more inaccurate the results, i.e. a server >> that transfers on average 70 Gigabytes per month can show 50 Gigabyte in >> one hour in the pmacct database when the bug occurs. >> >> We've used snmp on the server network adapters and upstream router to >> confirm this traffic isn't real, it's contained between the switch and >> the pmacct dedicated server. We tried replacing the switch with a brand >> new Cisco 3750 and it made no difference. >> > > Can you capture the traffic on your switch port during one of these > periods (e.g. at a low detail level, tcpdump with snaplen=60) so that you > can analyse it and see where the extra traffic is coming from? > > Is it possible that pmacctd is overflowing a 32-bit counter for bytes per > flow? What does your data look like during these periods? Does it amplify > all hosts equally, or are there just a few records with unusually high > bytes values? > > Cheers, Chris. > I had a quick look at pmacct code. In SQL plugin ( and others ) the byte counter is a 32 bits number until you compile pmacct with '--enable-64bit'. So the max value is 2^32 bytes => ( 2^32 ) * 8 bits => 32 gigabits. If your step is 1 hour : 32 Gb / hour = 9.1Mb / s You can overflow pmacct counter if you have traffic between 2 hosts up to 9Mb during one hour. This may explain the bug. So you can try to configure pmacct with '--enable-64bit' or reduce the value of 'sql_history'. Denis -- >>Visitez notre site web : www.acipia.fr <http://www.acipia.fr> Denis CAVROIS [email protected] <mailto:[email protected]> Ingénieur R&D LD: (0)3 20 28 61 67 Acipia 50 av. Jean Lebas 59100 Roubaix Tel: (0)3 20 28 61 62 Fax: (0)3 20 70 57 11 _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
