Hi all,

We've were experimenting with pmacctd/nfacctd-based IP traffic
accounting recently, and have faced some issues with handling small
packet floods by pmacctd/nfacctd in our setup.

Would be great if someone here could suggest us how we could overcome them.

Our goal was actually to precisely account the amount of traffic being
sent to and from each IP used by a set of "client" hosts sitting
behind the "router" host, which routes traffic to/from them.
In our test setup the pmacctd was running on that "router" host,
sniffing on its outbound interface, and then sending the netflow data
to the nfacctd running on a "collector" host.

So we've experienced two main problems when some "client" host started
to flood some small, e.g. tcp syn flood (this does not have to be
exactly tcp syn flood however, e.g. flooding small udp packets each
using different source port would work as well):

1. top reported ~50% cpu utilization of pmacctd processes, and started
reporting packet drops (dropped_packets value reported by SIGUSR1

2. pmacctd started producing significant amount of netflow traffic,
which was eventually dropped by the nfacctd on the "collector" host
(netstat -su reporting the increasing number of udp receive buffer
errors, while increasing the nfacctd_pipe_size to 2097152 made the
situation better, but still did not make the drops go away

Both of the above (apparently) resulted in decrease in preciseness of
our traffic measurements.

Had someone else here experienced similar issues, and/or could perhaps
suggest some ways of overcoming them?
Perhaps given that we do not need the information on each an every
"flow", but rather just the precise info on overall packets/bytes
being sent to/from a specific IP, it might be possible to adjust our
setup to tolerate such flooding?


pmacct-discussion mailing list

Reply via email to