Hi Yuriy, You have also other means to get a count of the TCP/SYN packets out of pmacct. I would suggest one for troubleshooing purposes with the goal to check where the issue lies:
* keep the 'tcpflags' primitive out of the 'aggregate' directive * add a 'pcap_filter' directive to the config; it supports filters in tcpdump syntax and you can feed it with the same filter you use in tcpdump to count TCP/SYN packets. I would like to know if counting TCP/SYN packets this way makes pmacct matching the numbers you get out of tcpdump. Btw, if you like this strategy, instead of resorting to tcpflags, it can be refined so to make it co-existing with other things you might want to do with the tool (ie. by using tagging or replacing the 'pcap_filter' with an 'aggregate_filter'). Cheers, Paolo On Tue, Feb 09, 2010 at 12:39:52PM +0200, Yavetskiy Yuriy wrote: > Hello. > > I'm running Debian with vanila 2.6.32 kernel. > I've compiled pmacct 0.11.6 with pf_ring (transparent mode 1). > Packets pass through brigde of 2 interfaces, one interface in promisc > mode (both interfaces are intel 82576, NAPI, LRO, RSS). > Load on this brigde is 800mbps and 100 kpps (90% idle on each of 8 cores). > I'm using pmacct to count traffic through brigde. > I've noticed, that snmp data and pmacct's data are the same (99% similar > in MB). > But if I use tcpflags in aggregation (src_host, dst_host, dst_port, > proto, tcpflags), I see (compare pmacct's data on bridge with tcpdump on > packet's destination host) that only 5% of packets with flag 2 (SYN) are > counted. > What could be the problem? > > > -- > WBR > Yavetskiy Yuriy > ULTI-RIPE > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
