[pmacct-discussion] aggregate_filter on DST_AS
Hi! I am trying to filter out DST_AS=0 from nfacctd aggregates. And, well, I am failing. I've tried all combinations of the expression on aggregate_filter and they all seemed to be ignored. Here's my current config: pidfile: /var/run/nfacctd.pid syslog: daemon ! ! interested in in and outbound traffic aggregate: src_as,dst_as,as_path,peer_dst_ip,peer_src_ip,src_host,dst_net,dst_mask,src_port,dst_port,proto pcap_filter: net 0.0.0.0/0 interface: eth0 plugins: memory[out] aggregate_filter[out]: dst_as not 0 nfacctd_ip: 0.0.0.0 nfacctd_port: 9992 nfacctd_net: netflow bgp_daemon: true bgp_daemon_ip: 192.168.142.165 bgp_daemon_max_peers: 100 bgp_agent_map: /etc/pmacct/agent_to_peer.map And here's what I am getting: mrayevskiy@pmacct:~$ /usr/bin/pmacct -c dst_as -M 0 -O csv SRC_AS,DST_AS,AS_PATH,PEER_SRC_IP,PEER_DST_IP,SRC_IP,DST_IP,DST_MASK,SRC_PORT,DST_PORT,PROTOCOL,PACKETS,BYTES 0,0,,91.233.217.254,212.188.23.218,,0.0.0.0,0,0,0,ip,4,240 0,0,,91.233.217.254,0.0.0.0,,0.0.0.0,0,0,0,ip,805,67465 0,0,,91.233.219.254,0.0.0.0,,0.0.0.0,0,0,0,ip,595,113680 0,0,,91.233.217.254,212.188.23.230,,0.0.0.0,0,0,0,ip,69,10393 0,0,,91.233.217.254,10.200.1.84,,0.0.0.0,0,0,0,ip,253222,377639873 0,0,,91.233.219.254,10.200.1.84,,0.0.0.0,0,0,0,ip,2370350,3555193820 I would appreciate some help with this problem. Maxim Rayevskiy Senior Manager ivi.ru online movies tel.: +7 495 276-06-31 (ext. 206) cell: +7 964 551 12 43 e-mail: ra...@ivi.ru ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] aggregate_filter on DST_AS
Hi Maxim, aggregate_filter expects a filter in libpcap/tcpdump syntax - and that does not support ASNs. It should be returning an error. You should be using pre_tag_map and pre_tag_filter: a pre_tag_map can contain a line like set_tag=10 ip=0.0.0.0/0 dst_as=0; then you can filter out those with a pre_tag_filter[plugin]: !10 in your config. You can check out full syntax and knobs supported by pre_tag_map in examples/pretag.map.example in the distribution tarball. Cheers, Paolo On Thu, Apr 30, 2015 at 04:36:04PM +, Maxim Rayevskiy wrote: Hi! I am trying to filter out DST_AS=0 from nfacctd aggregates. And, well, I am failing. I've tried all combinations of the expression on aggregate_filter and they all seemed to be ignored. Here's my current config: pidfile: /var/run/nfacctd.pid syslog: daemon ! ! interested in in and outbound traffic aggregate: src_as,dst_as,as_path,peer_dst_ip,peer_src_ip,src_host,dst_net,dst_mask,src_port,dst_port,proto pcap_filter: net 0.0.0.0/0 interface: eth0 plugins: memory[out] aggregate_filter[out]: dst_as not 0 nfacctd_ip: 0.0.0.0 nfacctd_port: 9992 nfacctd_net: netflow bgp_daemon: true bgp_daemon_ip: 192.168.142.165 bgp_daemon_max_peers: 100 bgp_agent_map: /etc/pmacct/agent_to_peer.map And here's what I am getting: mrayevskiy@pmacct:~$ /usr/bin/pmacct -c dst_as -M 0 -O csv SRC_AS,DST_AS,AS_PATH,PEER_SRC_IP,PEER_DST_IP,SRC_IP,DST_IP,DST_MASK,SRC_PORT,DST_PORT,PROTOCOL,PACKETS,BYTES 0,0,,91.233.217.254,212.188.23.218,,0.0.0.0,0,0,0,ip,4,240 0,0,,91.233.217.254,0.0.0.0,,0.0.0.0,0,0,0,ip,805,67465 0,0,,91.233.219.254,0.0.0.0,,0.0.0.0,0,0,0,ip,595,113680 0,0,,91.233.217.254,212.188.23.230,,0.0.0.0,0,0,0,ip,69,10393 0,0,,91.233.217.254,10.200.1.84,,0.0.0.0,0,0,0,ip,253222,377639873 0,0,,91.233.219.254,10.200.1.84,,0.0.0.0,0,0,0,ip,2370350,3555193820 I would appreciate some help with this problem. Maxim Rayevskiy Senior Manager ivi.ru online movies tel.: +7 495 276-06-31 (ext. 206) cell: +7 964 551 12 43 e-mail: ra...@ivi.ru ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] print plugin and swap usage
Hi Pavel, Can we follow-up privately for some further investigation? I'd start with a memory profile, ie. collect every few secs/minute memory usage of every pmacct process, to determine how memory utilization changes over time - and where that leads to. In general i would say: if you keep the daemon running for, say, 24 hours and memory keeps increasing steadily then we have a good lead towards what looks like a memory leak or so. Cheers, Paolo On Tue, Apr 21, 2015 at 05:05:56PM +0200, Pavel Dimow wrote: Hello, I have configured nfacctd to capture cisco nel export from ASR 1000 and save to file every minute via print plugin. Everythig works fine for now but I have some doubts about memory usage. For example when I first start the nfacctd the amount of allocated memory is about 19.8% (print_cache_entries[nat]: 50) but after some time the amount of used memory begins to decline and the usage of swap is going up. Right now for example the amount of used memory is 7.3% (from 19.8) while VmSwap is 1010828 kB (from 0) and it's solely used by nfacctd Print Plugin [nat] Is this some kind of expected behavior or bug? The more scary thing about this is that I am not sure if I have all entries for NEL printed in file or there are some missed one. ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
