Hey, I would experiment setting different nfprobe_engine (e.g. 10:1 and 10:2) for each of the pmacct instances and probably fiddle with the general timeout (which is 3600) to something lower.
On Fri, 14 Dec 2018 15:02:35 +0200 Edvinas K <[email protected]> wrote: > Thanks, i really appreciate your help. > > Everything seems working OK, on NFSEN (NFDUMP) graphs of flows > statistics looks good, but the traffic rate Mb/s (45 Mb/s) is somehow > 10x lower than really is. Maybe some tips to troubleshoot that ? > > [image: image.png] > > Is there any hidden things to check about ? > > My config: > > 1050 pmacctd -i ens1f0.432 -f flowexport.cfg > 1051 pmacctd -i ens1f1.433 -f flowexport.cfg > > cat flowexport.cfg > ! > daemonize: true > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > plugins: nfprobe > nfprobe_receiver: 10.3.14.101:2101 > nfprobe_version: 9 > ! nfprobe_engine: 1:1 > ! nfprobe_timeouts: tcp=120:maxlife=3600 > ! > ! networks_file: /path/to/networks.lst > > On Thu, Dec 13, 2018 at 4:32 AM Paolo Lucente <[email protected]> > wrote: > > > > > Hi Nikola, > > > > I see, makes sense. Thanks very much for clarifying. > > > > Paolo > > > > On Wed, Dec 12, 2018 at 06:20:58PM -0800, Nikola Kolev wrote: > > > Hi Paollo, > > > > > > Sorry for being cryptic - what I meant was that I wasn't able to > > > launch pmacctd/uacctd in a way that it deals with dynamic > > > interfaces as ppp. Basically I failed to find any reference in > > > the docs on how to make it run in such a way, that it collects > > > info from ppp* (a-la the ppp+ syntax of iptables), without > > > launching a separate pmacctd instance for each interface, hence > > > the complicated setup with iptables-nflog-uacctd-nfdump. > > > > > > On Thu, 13 Dec 2018 01:35:00 +0000 > > > Paolo Lucente <[email protected]> wrote: > > > > > > > > > > > Hi Nikola, > > > > > > > > Can you please elaborate a bit more? The cryptic part for me is > > > > "as nfacctd is not supporting wildcard addresses to be bound > > > > to". > > > > > > > > Thanks, > > > > Paolo > > > > > > > > On Wed, Dec 12, 2018 at 04:50:33PM -0800, Nikola Kolev wrote: > > > > > Hey, > > > > > > > > > > If I may add to that: > > > > > > > > > > I'm doing something similar, but in a slightly different > > > > > manner: > > > > > > > > > > as nfacctd is not supporting wildcard addresses to be bound > > > > > to, I'm using iptables' rules to export via nflog to uacctd, > > > > > which then can send to nfdump. Just food for thought... > > > > > > > > > > On 2018-12-12 14:58, Paolo Lucente wrote: > > > > > >Hi Edvinas, > > > > > > > > > > > >You are looking for the nfprobe plugin. You can follow the > > > > > >relevant section in the QUICKSTART to get going: > > > > > > > > > > > >https://github.com/pmacct/pmacct/blob/1.7.2/QUICKSTART#L1167-#L1302 > > > > > > > > > > > >Paolo > > > > > > > > > > > >On Wed, Dec 12, 2018 at 03:12:39PM +0200, Edvinas K wrote: > > > > > >>Hello, > > > > > >> > > > > > >>I managed to run basic pmacct to capture linux router (FRR) > > > > > >>flows from libcap: > > > > > >>"pmacctd -P print -O formatted -r 10 -i bond0.2170 -c > > > > > >>src_host,dst_host,src_port,dst_port,proto" > > > > > >> > > > > > >>now I need to push all the flows as a netflow format to the > > > > > >>netflow collector (nfdump). Could you give me some advice > > > > > >>how to configure that ? > > > > > >>Thank you > > > > > > > > > > > >>_______________________________________________ > > > > > >>pmacct-discussion mailing list > > > > > >>http://www.pmacct.net/#mailinglists > > > > > > > > > > > > > > > > > >_______________________________________________ > > > > > >pmacct-discussion mailing list > > > > > >http://www.pmacct.net/#mailinglists > > > > > > > > > > -- > > > > > Nikola > > > > > > > > > -- > > > Nikola > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > -- Nikola Kolev _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
