Hi Paolo,
First of all thanks for your help. It works fine now.
I have another problem need to be solved. The amount of data
which pmacct captured is not matching the actual usage.
They are only quite small packs, maybe the traffic between DNS
server not all traffic.
I did the a test before and here is the details
My config file:
daemonize: true
debug: true
nfacctd_time_new: true
nfacctd_ip: X.X.X.X
nfacctd_port: 9990
!logfile: /netflow/pmacct/logfile/file.log
aggregate[inbound]: src_host, dst_host
!aggregate[outbound]: src_host
aggregate_filter[inbound]: dst net X.X.69.0/24
!aggregate_filter[outbound]: src net X.X.69.0/24
plugins: mysql[inbound]
sql_table[inbound]: acct_in_%Y_%m
!sql_table[outbound]: acct_out_%M
sql_host: localhost
sql_user: XXXXX
sql_passwd: XXXXX
sql_db: pmacct
sql_refresh_time: 300
sql_history: 1h
sql_history_roundoff: m
sql_table_schema[inbound]: /netflow/app.schema
!sql_table_schema[outbound]: /netflow/app1.schema
sql_optimize_clauses: true
Here is the database rows
ip_dst packs bytes time-inserted
time-updated
'', 'X.X.69.105', '', 32, 8662, '2012-11-15 18:30:00',
'2012-11-15 18:40:02'
'', 'X.X.69.105', '', 127, 36625, '2012-11-15 12:00:00',
'2012-11-15 13:00:02'
'', 'X.X.69.105', '', 122, 35258, '2012-11-15 13:00:00',
'2012-11-15 14:00:01'
'', 'X.X.69.105', '', 134, 38194, '2012-11-15 14:00:00',
'2012-11-15 15:00:01'
'', 'X.X.69.105', '', 122, 35134, '2012-11-15 15:00:00',
'2012-11-15 16:00:02'
'', 'X.X.69.105', '', 131, 38963, '2012-11-15 16:00:00',
'2012-11-15 17:00:01'
'', 'X.X.69.105', '', 85, 24814, '2012-11-15 17:00:00',
'2012-11-15 17:45:02'
'', 'X.X.69.105', '', 8, 2288, '2012-11-15 17:40:00',
'2012-11-15 17:50:02'
'', 'X.X.69.105', '', 104, 29849, '2012-11-15 17:50:00',
'2012-11-15 18:00:03'
'', 'X.X.69.105', '', 104, 24938, '2012-11-15 18:00:00',
'2012-11-15 18:10:02'
'', 'X.X.69.105', '', 348, 97539, '2012-11-15 18:10:00',
'2012-11-15 18:20:03'
'', 'X.X.69.105', '', 58, 14317, '2012-11-15 18:20:00',
'2012-11-15 18:30:01'
'', 'X.X.69.105', '', 32, 8662, '2012-11-15 18:30:00',
'2012-11-15 18:40:02'
Looking forward for your suggestions. Thanks
Cheers,
Alllen
2012/11/21 Paolo Lucente <[email protected]>
> Hi,
>
> Have you tried looking in the original NetFlow packets, ie. with
> tcpdump or wireshark? I can't see pmacct mixing such information.
> Also, destination IP addresses are missing because you did not
> specify any aggregation method in your config, ie. try with:
>
> aggregate: src_host, dst_host
>
> Cheers,
> Paolo
>
> On Fri, Nov 16, 2012 at 09:12:11PM +1100, Wei Wang wrote:
> > Hi all,
> >
> > I was trying to set up the nfacctd from beginning, but this time,
> I
> > have a big issue with the ip_dst field in mysql.
> >
> > The ip_dst is all 0s, but the ip_src has some ip address which
> > supposed to be in the ip_dst fields
> >
> > Fields marked by red are ip_dst
> > greens are ip_src
> >
> >
> >
> > '0:0:0:0:0:0', '0:0:0:0:0:0', 'XX.54.67.226', '0.0.0.0', 0, 0, 'ip',
> 76082,
> > 5755797, '2012-11-16 20:20:00', '2012-11-16 20:25:01'
> >
> > '0:0:0:0:0:0', '0:0:0:0:0:0', 'XX.54.67.5', '0.0.0.0', 0, 0, 'ip',
> > 4463, 2303225, '2012-11-16 20:20:00', '2012-11-16 20:25:01'
> > '0:0:0:0:0:0', '0:0:0:0:0:0', 'XX.54.67.38', '0.0.0.0', 0, 0, 'ip',
> 6986,
> > 9078272, '2012-11-16 20:20:00', '2012-11-16 20:25:01'
> >
> >
> >
> >
> >
> > Here is my config file:
> >
> > daemonize: true
> >
> > debug: true
> >
> > nfacctd_time_new: true
> >
> > nfacctd_ip: X.X.X.X
> >
> > nfacctd_port: 9990
> >
> > logfile: /netflow/pmacct/logfile/file.log
> >
> >
> >
> >
> > sql_host: localhost
> >
> > sql_user: XXXXX
> >
> > sql_passwd: XXXXX
> >
> > sql_db: pmacct
> >
> > sql_refresh_time: 300
> >
> > sql_history: 10m
> >
> > sql_history_roundoff: m
> >
> >
> >
> > Anyone suggestions? Thanks
>
> > _______________________________________________
> > pmacct-discussion mailing list
> > http://www.pmacct.net/#mailinglists
>
> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists
>
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
