Hi Karl, On Sat, 14 Mar 2009, Karl O. Pinc wrote:
>> Do you have any ideas what might be going on here? > > Have you bound to an interface with 'interface'? > > Could be you're picking up, say, a file transfer to your gateway. > You'd want to monitor your external interface, or filter out traffic to > the box itself. Good idea, but I am bound to interface eth0. > As a debugging aid (or in general) you might consider putting your > rfc1918 network in a networks file. With an aggregate on sum_net and > without any other filters you get the cross product of all the > possibilities so can see if there's traffic from/to the local network or > other things you're perhaps not expecting. If nothing else a quick test > with the memory plugin may be revealing. Sorry, what is an aggregate on sum_net? I'm aggregating on ip_src and ip_dst respectively in two different plugins. I have been thinking about using a networks file, although I'm not sure how to do it yet. I have just changed my configuration as follows: aggregate[inbound]: dst_host, src_mac, dst_mac aggregate_filter[inbound]: dst net 192.168.0.0/24 and not src net 192.168.0.0/24 aggregate[outbound]: src_host, src_mac, dst_mac aggregate_filter[outbound]: src net 192.168.0.0/24 and not dst net 192.168.0.0/24 to hopefully exclude local traffic and also to see if some weird MAC addresses are involved, e.g. multicast, spoofing. But I don't see traffic in the gigabytes on either interface when this happens (internal or external). Cheers, Chris. -- Aptivate | http://www.aptivate.org | Phone: +44 1223 760887 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES Aptivate is a not-for-profit company registered in England and Wales with company number 04980791. _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
