Hi Slava, Although tagging can play in your case a key (negative) role under sustained loads, i wouldn't know if it is the prime contributor to such hang ups.
The log below tells that either the router itself is unable to export all the NetFlow data or such data gets lost before making it to the collector (network, kernel buffers, etc.). Such sequence checks can be avoided with the aim of avoid massive logging and in turn relief CPU load: nfacctd_disable_checks set to true. What occurs when the Core Process has not time to handle all traffic? Well, nfacctd reads data from a socket; and a socket at the very end manages a buffer of a certain size. If nfacctd is too slow to pick data out of the buffer compared to the arrival rate, there will be some data loss. At this propo: is buffering enabled within nfacctd (ie. plugin_pipe_size, plugin_buffer_size) ? Is it not also an idea, if possible (depends on the router) and for the benefit of the whole solution, to introduce sampled NetFlow? Cheers, Paolo On Mon, Oct 26, 2009 at 07:57:17PM +0200, Slava Dubrovskiy wrote: > [ ... ] > > Throughout our conversation about traffic accounting has noticed that > periodically the daemon nfacctd hangs up. > It happens when the quantity of packages strongly increases more then > 50kpps (during DDoS). > In log I see: > > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333297' but > received '4333303' collector=???^^B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333305' but > received '4333306' collector=???^^B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333307' but > received '4333320' collector=^H^_B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333321' but > received '4333332' collector=^T^_B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333333' but > received '4333346' collector="^_B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333347' but > received '4333356' collector=,^_B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333357' but > received '4333363' collector=3^_B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333364' but > received '4333378' collector=B^_B:8818 agent=192.168.21.1:129 > Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333379' but > received '4333400' collector=X^_B:8818 agent=192.168.21.1:129 > > After this nfacct stop listen port and not working. > > Question: > What occurs, when the Core Process has not time to handle all traffic? > How it is possible to increase productivity Pre-Tagging? _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists