Hi, On Mon, Nov 16, 2009 at 04:45:57PM -0600, fedora fedora wrote:
> DEBUG ( default/mysql ): INSERT INTO `test_1` (stamp_updated, > stamp_inserted, ip_src, ip_dst, as_src, as_dst, src_port, dst_port, > tcp_flags, ip_proto, packets, bytes, flows) VALUES > (FROM_UNIXTIME(1258410661), FROM_UNIXTIME(1258410600), 'x.x.x.34', > 'x.x.x.2', xx8, xx9, 443, 2608, 24, 'tcp', 1, 1353, 140733193388033) Thanks, for the output. So, only the 'flows' primitive is involved. Hopefully last bit of information i need is: which NetFlow version are your routers exporting to pmacct? If v8, which profile? If v9, you doing anything fancy with it (ie. aggregated NetFlow)? Roughly a week ago i committed to the CVS a minor patch to initialize some variables used at some stage to convert values as counters; can you please see if the version currently in the CVS behaves any better? > So pmacct keeps tracking the traffic count and and the end of the given > minutes(hours..etc) it calculates the summary and then writes it to the > backend database, am I right? Yes pmacct SQL plugins feature a cache to accumulate counters. Then the scanner kicks in at regular intervals (by default 60 secs) and writes to the database. If sql_history matches sql_refresh_time (or is a multiple) then each aggregate is written with a SQL INSERT query; otherwise UPDATE queries are involved. > If I am correct, how does pmacct treat netflow data? since all the data it > gets already get aggregated by netflow protocol. Will pmacct do something > extra? > > I guess for sflow, it will act differently and do the calculations. Basic thing to consider is pmacct is not a packet/sample/flow logger. This is partly highlighted by Q5 in FAQS. It performs data reduction, ie. temporal aggregation, spatial aggregation, filtering, sampling (or sub-sampling). Timestamps part of the export protocol, ie. NetFlow or sFlow, are used to assign data to a time-bin, when using a SQL plugin (as the in-memory table plugin doesn't have such a concept; you simply grab&clean data at regular intervals). Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
