Hi Steve, This is because the default maximum size of a NetFlow v9/IPFIX packet is set to 512 bytes - in order to be reasonably safe wrt MTU and not enter PMTU stuff. Currently the default value cannot be changed but adding a config option to do so is very easy. You can check what would happen if this would be redefined to a higher value by changing this line (and recompiling the source):
https://github.com/pmacct/pmacct/blob/master/src/nfprobe_plugin/netflow9.c#L195 Keep me posted if you find the above satisfactory and we can certainly add the knob to modify the value via config. Also, NetFlow v5 export should not be suffering from this and, given your 'aggregate', switching to that could be an option too - at least, again, given your current config. Paolo On Wed, Jan 17, 2018 at 09:35:39AM -0500, Stephen Clark wrote: > Hi Paolo, > > Sorry for sending previous email directly to you - pmacct version is 1.62 > > We had been using fprobe to capture netflow data. The packets fprobe emitted > usually were 1464 bytes. > > When we switched to using pmacct with the config below most of the packets > are less > than 500 bytes. Is there something we can configure to make the packets > larger so > there is less inefficiencies in transmission. > > > > debug: false > pidfile: /var/run/pmacctd.pid > syslog: daemon > daemonize: true > interface: eth0 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > plugins: nfprobe[eth0] > !aggregate_filter[eth0]: not host $IP > !plugin_buffer_size: 10240 > !plugin_pipe_size: 819200000 > nfprobe_receiver: 67.109.163.27:2055 > nfprobe_version: 9 > nfprobe_direction[eth0]: in > nfprobe_ifindex[eth0]: 2 > !pre_tag_map: /etc/pmacct_netwolves/pretag.map > !nfprobe_timeouts: > expint=5:general=60:tcp=60:tcp.rst=60:tcp.fin=60:udp=60:maxlife=60 > ! > ! networks_file: /path/to/networks.lst > ! classifiers: /path/to/classifiers/ > ! snaplen: 1500 > > > *tcpdump of packets emitted by fprobe:** > * > 08:39:24.052173 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:24.062333 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.009242 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.009335 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.009442 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.009525 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.009592 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.009680 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.019814 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > 08:39:29.019907 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464 > > > *tcpdump of packets from pmacct:* > > 08:43:22.032873 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368 > 08:43:22.046400 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.050473 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.055756 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.059596 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.063091 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.074011 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252 > 08:43:22.079973 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480 > 08:43:22.080027 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480 > 08:43:22.080079 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480 > 08:43:22.080122 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424 > 08:43:22.080236 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424 > 08:43:22.080340 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 292 > 08:43:22.084008 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480 > 08:43:22.084070 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.103153 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.106394 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.109548 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.112884 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.118893 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.122268 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.125993 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252 > 08:43:22.129375 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252 > 08:43:22.133180 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368 > 08:43:22.137965 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.144987 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140 > 08:43:22.154058 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252 > > > Regards, > Steve > > -- > > "They that give up essential liberty to obtain temporary safety, > deserve neither liberty nor safety." (Ben Franklin) > > "The course of history shows that as a government grows, liberty > decreases." (Thomas Jefferson) > > "Beer is proof God loves us and wants us to be happy!" (Ben Franklin) > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
