[pmacct-discussion] pmacct count only 5% of SYN packets.
Hello. I'm running Debian with vanila 2.6.32 kernel. I've compiled pmacct 0.11.6 with pf_ring (transparent mode 1). Packets pass through brigde of 2 interfaces, one interface in promisc mode (both interfaces are intel 82576, NAPI, LRO, RSS). Load on this brigde is 800mbps and 100 kpps (90% idle on each of 8 cores). I'm using pmacct to count traffic through brigde. I've noticed, that snmp data and pmacct's data are the same (99% similar in MB). But if I use tcpflags in aggregation (src_host, dst_host, dst_port, proto, tcpflags), I see (compare pmacct's data on bridge with tcpdump on packet's destination host) that only 5% of packets with flag 2 (SYN) are counted. What could be the problem? -- WBR Yavetskiy Yuriy ULTI-RIPE ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] pre_tag_map issue + questions
Hi Zenon, On Mon, Feb 08, 2010 at 02:43:49PM +0200, Zenon Mousmoulas wrote: records. If it's in there, then i'd like to give it a look myself: i would ask you to produce a trace and send it to me privately so that i can have a look. We can then summarize findings here. OK. I will send you the capture privately. It turned to be another bug related to 4-bytes ifIndex values exported via NetFlow v9. Fix is already committed to the CVS. Thanks for your cooperation on this. Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] pmacct count only 5% of SYN packets.
Hi Yuriy, You have also other means to get a count of the TCP/SYN packets out of pmacct. I would suggest one for troubleshooing purposes with the goal to check where the issue lies: * keep the 'tcpflags' primitive out of the 'aggregate' directive * add a 'pcap_filter' directive to the config; it supports filters in tcpdump syntax and you can feed it with the same filter you use in tcpdump to count TCP/SYN packets. I would like to know if counting TCP/SYN packets this way makes pmacct matching the numbers you get out of tcpdump. Btw, if you like this strategy, instead of resorting to tcpflags, it can be refined so to make it co-existing with other things you might want to do with the tool (ie. by using tagging or replacing the 'pcap_filter' with an 'aggregate_filter'). Cheers, Paolo On Tue, Feb 09, 2010 at 12:39:52PM +0200, Yavetskiy Yuriy wrote: Hello. I'm running Debian with vanila 2.6.32 kernel. I've compiled pmacct 0.11.6 with pf_ring (transparent mode 1). Packets pass through brigde of 2 interfaces, one interface in promisc mode (both interfaces are intel 82576, NAPI, LRO, RSS). Load on this brigde is 800mbps and 100 kpps (90% idle on each of 8 cores). I'm using pmacct to count traffic through brigde. I've noticed, that snmp data and pmacct's data are the same (99% similar in MB). But if I use tcpflags in aggregation (src_host, dst_host, dst_port, proto, tcpflags), I see (compare pmacct's data on bridge with tcpdump on packet's destination host) that only 5% of packets with flag 2 (SYN) are counted. What could be the problem? -- WBR Yavetskiy Yuriy ULTI-RIPE ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Missing information in mysql table
Hi, In logfile i see this Feb 9 16:47:46 oam02 sfacctd[14477]: DEBUG ( default/mysql ): INSERT INTO `acct_v5_06` (stamp_updated, stamp_inserted, vlan, src_port, dst_port, tos, ip_proto, agent_id, class_id, mac_src, mac_dst, ip_src, ip_dst, packets, bytes, flows) VALUES (FROM_UNIXTIME(1265730466), FROM_UNIXTIME(1265730300), 200, 6007, 54654, 104, 'ip', 0, 'unknown', '0:0:0:0:0:0', '0:0:0:0:0:0', '0.0.0.0', '0.0.0.0', 1, 242, 0) As you can see a lot of fields are inserted with null values. This is my config debug: true daemonize: true plugins: mysql aggregate: vlan,tos nfacctd_port: 6343 sql_refresh_time: 120 sql_history: 5m sql_history_roundoff: mhd sql_table_version: 5 sql_passwd: sflow sql_table: acct_v5_%W sql_table_schema: /var/lib/pmacct/mysql_v5.schema syslog: local0 ! Here is sample output from my mysql. mysql select * from acct_v5_06 limit 10; +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+ | agent_id | class_id | mac_src | mac_dst | vlan | ip_src | ip_dst | src_port | dst_port | ip_proto | tos | packets | bytes | flows | stamp_inserted | stamp_updated | +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+ |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 104 | 67 | 36641 | 0 | 2010-02-09 15:25:00 | 2010-02-09 15:30:01 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 252 | 2 | 228 | 0 | 2010-02-09 15:25:00 | 2010-02-09 15:30:01 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 0 | 7 | 693 | 0 | 2010-02-09 15:25:00 | 2010-02-09 15:30:01 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 104 | 10 | 5740 | 0 | 2010-02-09 15:30:00 | 2010-02-09 15:32:02 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 0 | 10 | 990 | 0 | 2010-02-09 15:30:00 | 2010-02-09 15:36:03 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 100 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 104 | 5 | 430 | 0 | 2010-02-09 15:30:00 | 2010-02-09 15:36:03 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 100 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 0 | 1 |68 | 0 | 2010-02-09 15:35:00 | 2010-02-09 15:36:03 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 100 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 104 | 2 | 172 | 0 | 2010-02-09 15:35:00 | 2010-02-09 15:38:02 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 0 | 7 | 662 | 0 | 2010-02-09 15:35:00 | 2010-02-09 15:40:01 | |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 104 | 39 | 17610 | 0 | 2010-02-09 15:35:00 | 2010-02-09 15:40:01 | +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+ I probably have missed something in my config. But i cant find what. I also need help undestanding the TOS values? What is tos 67? in VLAN 200 i only should see DSCP AF31, and DSCP 47. Im also including a capture of sflow packets. //Regards Jonas sflow.cap Description: Binary data ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Missing information in mysql table
Hi Jonas, On Tue, Feb 09, 2010 at 04:55:52PM +0100, Jonas Nylund wrote: [ ... ] mysql select * from acct_v5_06 limit 10; +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+ | agent_id | class_id | mac_src | mac_dst | vlan | ip_src | ip_dst | src_port | dst_port | ip_proto | tos | packets | bytes | flows | stamp_inserted | stamp_updated | +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+ |0 | unknown | 0:0:0:0:0:0 | 0:0:0:0:0:0 | 200 | 0.0.0.0 | 0.0.0.0 |0 |0 | ip | 104 | 67 | 36641 | 0 | [ ... ] I probably have missed something in my config. But i cant find what. I also need help undestanding the TOS values? What is tos 67? in VLAN 200 i only should see DSCP AF31, and DSCP 47. I see 67 appearing in the 'packets' field. TOS appears to be 104, which should match your expectations of seeing DSCP AF31 populating such field. Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Enterasys nfacctd expecting flow error
Paolo has provided the answer below. How sequencing works in NetFlow? Imagine you start from 0; imagine that you can pack a maximum of 30 flows within a NetFlow datagram: with 30 flows packed, the datagram is very close to 1500 bytes. The exact number of flows packed in a datagram depends on the traffic conditions. Now, the sequence number is incremented by the number of flows within a NetFlow datagram - ie. packet 1 comes with seq 0 and 30 flows inside; packet 2 comes with seq 30 and, say, 25 flows inside; packet 3 comes with seq 55 and X flows inside; and so on. What is the problem? Enterasys increments the sequence number by 30 - statically, regardless of how many flows are packed inside a NetFlow datagram. Hence, every time there are less, you get pmacct complaining of sequencing. The good news is: you are not loosing any data and sequencing checks can be disabled in pmacct. - Original Message From: Paolo Lucente pa...@pmacct.net To: pmacct-discussion@pmacct.net Sent: Fri, January 15, 2010 3:22:42 AM Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error Hi Marc, I would ask you if you can send me privately a packet capture (in tcpdump format, full payload) so that i can have a look into it and possibly replay in lab. This should very well give an insight on the sequence jumps; and might also give an hint why not all the traffic is accounted for ie. if there is a cause-effect relationship between the twos. Let me know if this is acceptable to you. Cheers, Paolo On Thu, Jan 14, 2010 at 02:54:55PM -0800, marc slice wrote: They appear frequently. Every 10-15 secs. We have between 25-80Mbps running across the interfaces recording netflow data on the enterasys through out the day. Not all the traffic is getting recorded when compared to port statistics. No real pattern that we have found. We have 1Gbps connections from the enterasys to the collector and the collector is a HP 2 CPU opteron box with 8GB of memory. CPU is seeing very little use at all times. - Original Message From: Paolo Lucente pa...@pmacct.net To: pmacct-discussion@pmacct.net Sent: Wed, January 13, 2010 3:33:36 PM Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error Hi Marc, Such messages tell it has been detected some issues with NetFlow datagram sequence numbers. This can be caused by packet loss between an agent and the collector, mistakes in the sequencing encoding among the others. Besides the warning messages, which can be turned off, NetFlow datagrams reaching pmacct are processed as usual. Do you see such messages appearing regularly or occasionally? Can you spot a pattern (ie. only a subset of the devices are affected, jumps repeat the same way, etc.)? Cheers, Paolo On Wed, Jan 13, 2010 at 11:52:07AM -0800, marc slice wrote: I have setup netflow from an Enterasys N series switch and receive the following when running nfacctd. WARN: expecting flow '2727940030' but received '2727940026' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226450' but received '11226438' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727940052' but received '2727940056' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226456' but received '11226468' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952866' but received '2727952852' collector=0.0.0.0:2055 agent=172.16.32.2:513 WARN: expecting flow '11226618' but received '11226617' collector=0.0.0.0:2055 agent=172.16.32.2:769 WARN: expecting flow '2727952868' but received '2727952882' collector=0.0.0.0:2055 agent=172.16.32.2:513 Couldn't find much info on this problem and was wondering if someone could help? [ ... ] ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists