[pmacct-discussion] netflow packet size

Stephen Clark Wed, 17 Jan 2018 06:39:42 -0800

Hi Paolo,

Sorry for sending previous email directly to you - pmacct version is 1.62


We had been using fprobe to capture netflow data. The packets fprobe emitted
usually were 1464 bytes.

When we switched to using pmacct with the config below most of the packets are 
less
than 500 bytes. Is there something we can configure to make the packets larger 
so
there is less inefficiencies in transmission.



debug: false
pidfile: /var/run/pmacctd.pid
syslog: daemon
daemonize: true
interface: eth0
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe[eth0]
!aggregate_filter[eth0]: not host $IP
!plugin_buffer_size: 10240
!plugin_pipe_size: 819200000
nfprobe_receiver: 67.109.163.27:2055
nfprobe_version: 9
nfprobe_direction[eth0]: in
nfprobe_ifindex[eth0]: 2
!pre_tag_map: /etc/pmacct_netwolves/pretag.map
!nfprobe_timeouts:
expint=5:general=60:tcp=60:tcp.rst=60:tcp.fin=60:udp=60:maxlife=60
!
! networks_file: /path/to/networks.lst
! classifiers: /path/to/classifiers/
! snaplen: 1500


*tcpdump of packets emitted by fprobe:**
*
08:39:24.052173 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:24.062333 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009242 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009335 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009442 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009525 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009592 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009680 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.019814 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.019907 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464


*tcpdump of packets from pmacct:*

08:43:22.032873 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368
08:43:22.046400 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.050473 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.055756 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.059596 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.063091 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.074011 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
08:43:22.079973 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.080027 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.080079 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.080122 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424
08:43:22.080236 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424
08:43:22.080340 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 292
08:43:22.084008 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.084070 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.103153 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.106394 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.109548 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.112884 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.118893 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.122268 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.125993 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
08:43:22.129375 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
08:43:22.133180 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368
08:43:22.137965 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.144987 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.154058 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252


Regards,
Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)

"Beer is proof God loves us and wants us to be happy!" (Ben Franklin)

signature.asc
Description: OpenPGP digital signature

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] netflow packet size

Reply via email to