Hi, Great to know it worked. Getting to the accuracy part: one suggestion you received what to enable renormalization - did it not work for you? Are you using sampled NetFlow? The alternative issue could be with the filter itself: if you repeat the big file transfer and try with/without the filter, do you see the traffic being accounted without the filter in place? If yes, can you look in wireshark if flows are VLAN tagged and/or MPLS labeled? Both cases you would need to refine the filter to take this into account; if you are unable to look this yourself, feel free to send me a brief NetFlow trace privately.
Cheers, Paolo On Wed, Nov 21, 2012 at 12:21:34PM +1100, Wei Wang wrote: > Hi Paolo, > > First of all thanks for your help. It works fine now. > > I have another problem need to be solved. The amount of data > which pmacct captured is not matching the actual usage. > > They are only quite small packs, maybe the traffic between DNS > server not all traffic. > > I did the a test before and here is the details > > > My config file: > > daemonize: true > > debug: true > > nfacctd_time_new: true > > nfacctd_ip: X.X.X.X > > nfacctd_port: 9990 > > !logfile: /netflow/pmacct/logfile/file.log > > > > aggregate[inbound]: src_host, dst_host > > !aggregate[outbound]: src_host > > > > aggregate_filter[inbound]: dst net X.X.69.0/24 > > !aggregate_filter[outbound]: src net X.X.69.0/24 > > > > plugins: mysql[inbound] > > > > sql_table[inbound]: acct_in_%Y_%m > > !sql_table[outbound]: acct_out_%M > > > > > > sql_host: localhost > > sql_user: XXXXX > > sql_passwd: XXXXX > > sql_db: pmacct > > sql_refresh_time: 300 > > sql_history: 1h > > sql_history_roundoff: m > > sql_table_schema[inbound]: /netflow/app.schema > > !sql_table_schema[outbound]: /netflow/app1.schema > sql_optimize_clauses: true > > > Here is the database rows > > ip_dst packs bytes time-inserted > time-updated > '', 'X.X.69.105', '', 32, 8662, '2012-11-15 18:30:00', > '2012-11-15 18:40:02' > '', 'X.X.69.105', '', 127, 36625, '2012-11-15 12:00:00', > '2012-11-15 13:00:02' > '', 'X.X.69.105', '', 122, 35258, '2012-11-15 13:00:00', > '2012-11-15 14:00:01' > '', 'X.X.69.105', '', 134, 38194, '2012-11-15 14:00:00', > '2012-11-15 15:00:01' > '', 'X.X.69.105', '', 122, 35134, '2012-11-15 15:00:00', > '2012-11-15 16:00:02' > '', 'X.X.69.105', '', 131, 38963, '2012-11-15 16:00:00', > '2012-11-15 17:00:01' > '', 'X.X.69.105', '', 85, 24814, '2012-11-15 17:00:00', > '2012-11-15 17:45:02' > '', 'X.X.69.105', '', 8, 2288, '2012-11-15 17:40:00', > '2012-11-15 17:50:02' > '', 'X.X.69.105', '', 104, 29849, '2012-11-15 17:50:00', > '2012-11-15 18:00:03' > '', 'X.X.69.105', '', 104, 24938, '2012-11-15 18:00:00', > '2012-11-15 18:10:02' > '', 'X.X.69.105', '', 348, 97539, '2012-11-15 18:10:00', > '2012-11-15 18:20:03' > '', 'X.X.69.105', '', 58, 14317, '2012-11-15 18:20:00', > '2012-11-15 18:30:01' > '', 'X.X.69.105', '', 32, 8662, '2012-11-15 18:30:00', > '2012-11-15 18:40:02' > > Looking forward for your suggestions. Thanks > > Cheers, > Alllen > > > 2012/11/21 Paolo Lucente <[email protected]> > > > Hi, > > > > Have you tried looking in the original NetFlow packets, ie. with > > tcpdump or wireshark? I can't see pmacct mixing such information. > > Also, destination IP addresses are missing because you did not > > specify any aggregation method in your config, ie. try with: > > > > aggregate: src_host, dst_host > > > > Cheers, > > Paolo > > > > On Fri, Nov 16, 2012 at 09:12:11PM +1100, Wei Wang wrote: > > > Hi all, > > > > > > I was trying to set up the nfacctd from beginning, but this time, > > I > > > have a big issue with the ip_dst field in mysql. > > > > > > The ip_dst is all 0s, but the ip_src has some ip address which > > > supposed to be in the ip_dst fields > > > > > > Fields marked by red are ip_dst > > > greens are ip_src > > > > > > > > > > > > '0:0:0:0:0:0', '0:0:0:0:0:0', 'XX.54.67.226', '0.0.0.0', 0, 0, 'ip', > > 76082, > > > 5755797, '2012-11-16 20:20:00', '2012-11-16 20:25:01' > > > > > > '0:0:0:0:0:0', '0:0:0:0:0:0', 'XX.54.67.5', '0.0.0.0', 0, 0, 'ip', > > > 4463, 2303225, '2012-11-16 20:20:00', '2012-11-16 20:25:01' > > > '0:0:0:0:0:0', '0:0:0:0:0:0', 'XX.54.67.38', '0.0.0.0', 0, 0, 'ip', > > 6986, > > > 9078272, '2012-11-16 20:20:00', '2012-11-16 20:25:01' > > > > > > > > > > > > > > > > > > Here is my config file: > > > > > > daemonize: true > > > > > > debug: true > > > > > > nfacctd_time_new: true > > > > > > nfacctd_ip: X.X.X.X > > > > > > nfacctd_port: 9990 > > > > > > logfile: /netflow/pmacct/logfile/file.log > > > > > > > > > > > > > > > sql_host: localhost > > > > > > sql_user: XXXXX > > > > > > sql_passwd: XXXXX > > > > > > sql_db: pmacct > > > > > > sql_refresh_time: 300 > > > > > > sql_history: 10m > > > > > > sql_history_roundoff: m > > > > > > > > > > > > Anyone suggestions? Thanks > > > > > _______________________________________________ > > > pmacct-discussion mailing list > > > http://www.pmacct.net/#mailinglists > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
