Hello Paolo, thank you, see inline
On 05/09/2013 01:03 AM, Paolo Lucente wrote: > Hi Vito, > > Inline: > > On Wed, May 08, 2013 at 06:50:43PM +0200, [email protected] wrote: > >> [ .. ] >> >> 1) is possible to have a roundoff value as milliseconds? > Can you elaborate on this? sql_history (temporal aggregation feature) stops > to seconds resolution. You looking for sub-second temporal aggregation? yes, but thinking more about this I guess a second aggregation period should be enough >> 2) it is possible to aggregate the rows belonging to the same long >> connections, is there any timeout I can use? > You have setup sql_history (temporal aggregation) to 1 hour: you mean to > aggregate together rows belonging to long connections that last more than > one hour? This is an heritage from the netflow aggregation staff. I've read again the docs about pmacct I think I've understood the point. So now, my concerns are about multiple connection with the same key that I've reduced to PRIMARY KEY (vlan, ip_src, ip_dst, src_port, dst_port, ip_proto) what happens if two connections with the same key set are opened in the same sql_hystory period? >> 3) why the ip_proto fields is always empty? > All seems good with your configuration. It should just work. Can you spot > any complains when you start pmacctd up or by checking logs? If neither of > these give any clue, since you are capturing over a bridge (which means > bridged interface, ie. br0 or so?) can you send over a brief capture in > libpcap/tcpdump format so to double-check this out? I don't know how but this morning those rows contain the correct ip_proto values filled in >> 4) there is a way to fill -1 in the valn fields when a untagged packet >> is found? > No. Is there a specific reason against a value of zero to designate an > untagged packet? You can post-process yourself the table rewriting zeroes > to -1 with a simple SQL query. >From the Wiki page it appears to be that VLAN_ID=0 is a valid value for tagged ethernet packet. see http://en.wikipedia.org/wiki/IEEE_802.1Q#Frame_format """ /VLAN Identifier (VID)/: a 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All other values may be used as VLAN identifiers, allowing up to 4,094 VLANs. The reserved value 0x000 indicates that the frame does not belong to any VLAN; in this case, the 802.1Q tag specifies only a priority and is referred to as a /priority tag/. On bridges, VLAN 1 (the default VLAN ID) is often reserved for a management VLAN; this is vendor-specific. """ In this case the frame has the /TPID /fields in place of the/ETH TYPE/. any thoughts about? > >> 5) is possible to remove the packets and bytes fields from the DB schema? > No. Since pmacct is an IP accounting application this is not generally > possible. More recently, 0.14.3, these fields can be removed in order to > log down events, ie. Cisco NEL. What is the use-case for this request? I need to know just the connections between peers and I don't care about the packets/bytes sent I would remove these informations thinking about performance implications. But before doing this kind of premature optimizations I will conduct some measurements on the traffic. >> 6) can you suggest me keys to improve general performances > I'd say the keys are specific to the most popular queries you want to run > against the dataset - maybe you can elaborate on what you are trying to > accomplish. I ment about pmacct config keys, like the ones related to the plugin buffer size, etc Last thing, is it possible to write in the DB the timestamp as integer? thank you a lot vito > Cheers, > Paolo > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > >
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
