:25AM -0800, Aaron Finney wrote:
> Hi Paolo,
>
> It's version 1.6.1:
>
> NetFlow Accounting Daemon, nfacctd 1.6.1 (20161001-00+c5).
>
> Thanks,
>
> Aaron
>
>
>
> On Sat, Jan 21, 2017 at 3:57 AM, Paolo Lucente <pa...@pmacct.net> wrote:
>
> &g
Hi Aaron,
Interesting. Can you say what version is this? And if anything before
1.6.1 or (much preferrably) master code on GitHub - can you please try
and confirm you experience the same with any of these?
Paolo
On Fri, Jan 20, 2017 at 07:03:15PM -0800, Aaron Finney wrote:
> Hello all,
>
> I
gt; enterprise: 43874 is not recognized.
> I'm unable to trace where this "43874" comes from...
>
> Regards,
> Cédric
>
>
> Le 29/12/2016 à 12:38, Paolo Lucente a écrit :
> >Hi Cedric,
> >
> >While i can't say it's the very same issue, it seems related to
.1 ip=0.0.0.0/0 filter='ip6 or (vlan and ip6)'
>
> Now I've done the necessary configuration changes, this solution
> will be fine for my environment.
>
> Thanks for looking into this for me,
>
> Charlie
>
>
>
> On 04/01/17 11:33, Paolo Lucente wrote:
>
+1 on this.
On Thu, Jan 05, 2017 at 10:10:40AM +, Charlie Smurthwaite wrote:
> On 05/01/17 09:57, Yann Belin wrote:
> >the collectors have to store
> >(temporarily) their data locally. A central side would then gather
> >data from the different locations, and store the that data in a DBMS
>
e is any way to
> >combine the sessions.
> >
> >I could resolve this by changing the router IDs to be different
> >between v4 and v6, but I'd hoped this would not be necessary and I
> >could match on the peer IP address instead.
> >
> >Charlie
> >
t; It seems that something isn't quite right with matching "bgp_id=::1"
> against the session originating from ::1. Would you mind seeing if
> you can reproduce this?
>
> Thanks!
>
> Charlie
>
>
> On 31/12/16 11:34, Paolo Lucente
Hi Charlie,
Definitely a bug, yes. Thanks for your report. This is now fixed:
https://github.com/pmacct/pmacct/commit/ab7d675f1eaa90f753327a07c0184247f5f0517c
Cheers,
Paolo
On Fri, Dec 30, 2016 at 11:37:31PM +, Charlie Smurthwaite wrote:
> Hi,
>
> I am running pmacctd with 2 BGP sessions
Hi Zoubeir,
Unfortunately no, labels are not supported for the IMT plugin.
Cheers,
Paolo
On Fri, Dec 23, 2016 at 03:21:34PM +0100, Zoubeir Zarrouk wrote:
> Hello,
>
> I am actually using pmacct memory and using set_tag and if_index to
> identify the internet gateway in pretag.map file. Since,
Hi Yann,
You remember i was saying of the current limitations of the
aggregate_primitives framework. That's it: you can add key primitives
to the aggregation method but you can't add non-key ones on which, for
exxample, you want to perform operations (ie. sum like in the case of
bytes and
Hi Yann,
You should use the 'class' aggregation primitive for that - or are you
already doing so ant it's not working? To your other question: yes, you
can extend, within some limits, the set of natively supported primitives
with custom ones: please look at the aggregate_primitives framework (in
(either v4 or v6, that is, not both) for BGP and travel ipv4/ipv6 AFs
(along with any other AF you may need) in that same transport.
Cheers,
Paolo
On Wed, Dec 07, 2016 at 09:53:54PM +0100, Fabien VINCENT wrote:
> Hi Paolo,
>
> Le 2016-12-07 17:54, Paolo Lucente a écrit :
> >Hi Fab
Hi Fabien,
One step back on your question: you refer to the flow records or to the
transport protocol here? You can travel v4 and v6 records within the
same, say, v4 NetFlow/IPFIX/sFlow transport. This is what all exporters
basically do; are you working with an exporter that is behaving in a
OT NULL,
> dst_port INT(2) UNSIGNED NOT NULL,
> ip_proto CHAR(6) NOT NULL,
> packets INT UNSIGNED NOT NULL,
> bytes BIGINT UNSIGNED NOT NULL,
> flows INT UNSIGNED NOT NULL,
> stamp_inserted DATETIME NOT NULL,
> stamp_updated DATETIME,
> PRIMARY K
I also notice performance issues when dumping the table. Today i have 42 k
> mpls vpn v4 routes but it only dumps 32k
> Do u want me to create another issue?
> BR
> Al
>
> On Dec 2, 2016 18:50, "Paolo Lucente" <pa...@pmacct.net> wrote:
>
> >
> >
Hi Sergey,
I guess what you need is to refine your bgp_agent_map as follows:
bgp_ip=176.**.**.252 ip=0.0.0.0/0 filter='ip'
bgp_ip=2001:**:**:1::11 ip=0.0.0.0/0 filter='ip6'
Let me know if this works for you.
Cheers,
Paolo
On Fri, Dec 02, 2016 at 08:09:07PM +0200,
Hi Jaroslav,
Unfortunately not as they are integral part of the sql_history feature
(which you need to populate the time-related variables of the tables).
As an alternative, only for the 'all' tables where you have the other
timestamps, you may disable sql_history and write to a fixed, say,
sql_history: 5m
> sql_history: 1m
> sql_history_roundoff: m
> sql_preprocess: fsrc=2
> sql_locking_style: row
> sql_cache_entries: 800011
>
> imt_buckets: 65537
> imt_mem_pools_size: 1024000
>
> nfacctd_port: 2055
>
> Thanks for your support.
>
> Steve
&g
nything in our confguration
> >>that I could adjust to mitigate the situation.
> >>
> >>We never reach 10 sql writers.
> >>
> >>Would increasing the any of these help?
> >> sql_refresh_time: 60
> >>sql_optimize_clauses: true
>
Ciao Lorenzo,
Can you show your configure line and any environment variables you may
have set? It all points to an incorrect setting of RABBITMQ_LIBS, like
you did leave a space between -L and its value whereas it should be set
like:
RABBITMQ_LIBS="-L/var/lib/rabbitmq/lib"
Cheers,
Paolo
On
Hi Steve,
You are experiencing a few connected problems, i guess. The root issue
should be that the PostgreSQL database is not coping with the insert or
update rate and/or with the size of the dataset.
The list of plugins you see there are, in fact, all DB writers. They are
queued up, waiting
Hi Steve,
This is the same issue as described here:
https://github.com/pmacct/pmacct/issues/40
See the wontfix flag, i'm unable to reproduce the issue. If you solve it
yourself, please contribute a patch. I'd be fully to look into it for
you but it smells i need (unprivileged) access to the
Hi Robert,
If using NetFlow v9/IPFIX, it is normal that until the next template
comes in, you get discards. Changing plugins is not related to what you
are experiencing. Either it's all good or it's something pre-existing.
Cheers,
Paolo
On Tue, Nov 08, 2016 at 01:41:01PM -0600, Robert Juric
Hi Stephen,
If you do not filter over tags, ie. pre_tag_filter is not part of your
config, then all will make to the database and those packets coming from
a unit not in pretag.map will have a tag of zero. In other words both
behaviours are possible (all make to the DB or filter things you are
Hi Cameron,
Is it possible you restarted pmacct using pmacctd instead of nfacctd?
Your description of what is happening would match 100% with that.
Cheers,
Paolo
On Tue, Nov 08, 2016 at 01:53:59PM +1000, Cameron Murray wrote:
> Further to this it does appear that it is only recordings data
Hi Cedric,
0x3FFF (1073741823) is used to indicate packets that never enter or
exit the probe, ie. originated from or delivered to it. This is not
necessarily true since you use pmacctd and miss sfprobe_direction and
sfprobe_ifindex as part of your config. Please look at QUICKSTART doc
Hi Hiep,
sum_port may somehow come to the rescue but ymmv with it; it may very
well start doing sums for all ports, ie. 18051, 55932, 55933, etc. So
18051 will contain your 8 packets but then, unless port 18051 is
meaningful to you, so that you can trash all the rest (on query), it may
lead to
Hi Bryan,
More than a plugin, i may recommend looking at the custom primitives
framework, ie. aggregate_primitives config directive. For pmacctd it
contemplates offsets to L2, L3 and L4. You may want/need to extend
the to do the same with L7 - with peculiarities of L7, ie. not just
relying on
VERSION.
1.6.1
DESCRIPTION.
pmacct is a small set of multi-purpose passive network monitoring tools. It
can account, classify, aggregate, replicate and export forwarding-plane data,
ie. IPv4 and IPv6 traffic; collect and correlate control-plane data via BGP
and BMP; collect infrastructure data
Hi Frederic,
What i would recommend is: use pmacctd with the nfprobe plugin to build
flows out of packets; the flow engine is present in pmacct but is not
hooked up to other plugins, ie. the print one that you are using. Then,
you can recollect the output of the nfprobe plugin with nfacctd -
Hi Alex,
Inline:
On Sun, Sep 11, 2016 at 11:45:44PM +0300, Abi Askushi wrote:
> 1. Is there a pmacct plugin to get traffic flows from connection tracking
> system, like ulogd2 with NFCT plugin?
Not being familiar with this, can you elaborate what it does? An example
would be much appreciated.
Hi Shuo,
You should use the tee_receivers config directive instead of
(legacy) tee_receiver. Here you can also find an example:
https://github.com/pmacct/pmacct/blob/master/examples/tee_receivers.lst.example
Cheers,
Paolo
On Sun, Sep 11, 2016 at 04:47:31PM +, Yan, Shuo wrote:
> Hi,
>
>
Hi Adrien,
Thanks for your kind words :)
pmacct client can perform basic filtering but not sub-aggregation.
This said, the first thing it came to mind reading your question was
to query the memory table as "pmacct -s -O csv" then use a few touches
of awk for the sub-aggregation. Like:
For
Hi Steve,
As Tim was mentioning you can use 'sampling_rate' with a fixed sample
rate (not 'sample_rate'); this will make pmacct sample for you. In case
you are sampling outside pmacct, you can supply this info via, say,
pmacctd_ext_sampling_rate so that nfprobe will include such value in
the
>
>
>
>
>
> On 4.03.2016 21:52, Derrick Sawyer wrote:
> >Hi Paolo,
> >Yes very perplexing. If you can ping me privately, I can give you
> >more detail and show you what I am seeing.
> >
> >Thanks,
> >-/-Derrick
> >
> >On Fri, M
Hi Mattias,
From what i read so far I believe the pesky bit here is that you are using
pmacctd (which is the libpcap-based daemon) rather than nfacctd (which is
the NetFlow collector daemon, which collects and analyses/dissects NetFlow
packets).
Cheers,
Paolo
On Fri, Aug 19, 2016 at
ctd_renormalize: true
> nfacctd_ext_sampling_rate: 4000
> nfacctd_disable_checks: true
>
> My nfacctd version :
>
> [11:20 ] > nfacctd -V
> NetFlow Accounting Daemon, nfacctd 1.5.3 (20160114-00)
> --enable-jansson --enable-ipv6
>
> For suggestions, critics, bu
Hi Steve,
Try setting 'nfacctd_time_new: true' which would take as reference
time of arrival of the flow to the collector; you should get your
desired behaviour. Another solution is to keep nfacctd_time_new to
false and decrease to the minimum the active timeout on your NetFlow
exporter (what is
Hi Andrey,
Unfortunately this is not possible. You have a networks_file_no_lpm
switch, which does not really apply to your case since you have all
three networks in a networks_file, but in the end you can account
traffic only to one net - then you would have to summarize yourself
as part of the
Hi Catalin,
What version this is? I've tried to reproduce with code in master
on GitHub and all appears to work fine and i see data pusehd into
the expected topic 'pmacct1'. If you are not using code in master,
can you please give it a try as well?
Cheers,
Paolo
On Thu, Jul 28, 2016 at
Hi Matt,
The snaplen is meant for the pmacctd daemon, which is the libpcap-based
daemon of the set. You can compare pmacctd to tcpdump in the fact they
are both libpcap-based - then they do a slightly different job and produce
different output.
nfacctd is a daemon listening on a port and
VERSION.
1.6.0
DESCRIPTION.
pmacct is a small set of multi-purpose passive network monitoring tools. It
can account, classify, aggregate, replicate and export forwarding-plane data,
ie. IPv4 and IPv6 traffic; collect and correlate control-plane data via BGP
and BMP; collect infrastructure data
Hi Inge,
Any chance you have some aggregate_filter or any other filtering in place
via pre_tag_map? Another option could be the new MX box is exporting less
data than the previous one (ie. as a result of a different configured
sampling rate) and buffers (plugin_buffer_size mainly) are set too
Hi Vaggelis,
I look forward to any thoughts about data types. Personally, the very
first reaction this trigger is: the backend of the accounting system
should be set to a timezone that does not change during the year and,
even more ideally, to UTC. UTC is ideal because it helps when stuff is
Hi Bryan,
This should be easily connected to your plugin_buffer_size and plugin_pipe_size
settings - they are OK for the amount of v4 traffic, they may be too large for
the amount of v6 traffic so data is sitting there waiting for big buffers to be
filled. Having different buffers for v4 and v6
Hi Jaroslav,
To confirm this is currently not possible but actually would be a good
idea for future support. I was going to sugget to use source MAC address
instead but i note that also there you have the post-source MAC address.
Please get in touch privately, a trace of your NetFlow would
Hi Jaroslav,
To increase precision beyond historical accounting, ie. stamp_inserted
and stamp_updated, you can use timestamp_start and timestamp_end keys in
your aggregation method. But, as you will see, while you will increase
precision, you will increase the amount of data - whether this is a
Hi Anthony,
This means the plugin cache is under-sized for the amout of entries
you are throwing at it. See sql_cache_entries in CONFIG-KEYS (*).
Cheers,
Paolo
(*) https://github.com/pmacct/pmacct/blob/master/CONFIG-KEYS
On Thu, Apr 28, 2016 at 11:04:38AM -0400, Anthony Rodriguez wrote:
>
Hi Anthony,
ET is the Estimated Time it took to complete the purging event. So, in
your case, 8978 seconds. QN is the Query Number: how many were sent to
the database / how many entries are in the cache. So, in your case,
12482 are sent out of 32819 that are cached. This for sure means that
Hi John,
Plese consider in 1.6.0, the code currently on GitHub, the build system
has totally changed - maybe you want to give a try with that one and see
if it works? If it does not or you need to stick to 1.5.3, i'd be happy
to have a look myself on your box as i have no way to reproduce this.
Hi Michael,
It principle it sounds no problem, you can set those directives even up to
one year. I just wonder whether that would make sense, ie. wait for a long
flow to complete before account for it. But maybe a better explanation of
your use-case and/or what you would like to achieve (ie. what
Hi Baseem,
The ports_file is not influencial on your original issue - it would only
allow you to narrow down ports to a set of interest (for the sake of not
getting too much data). Ports are in the template so this looks weird: can
you send privately a brief trace of some IPFIX flows (and
gt; 03/22/16 3.39 GiB | 192.81 MiB |3.58 GiB | 347.33 kbit/s
> 03/23/16 2.68 GiB | 149.60 MiB |2.82 GiB | 274.16 kbit/s
> 03/24/16179.13 MiB | 55.53 MiB | 234.66 MiB | 39.25 kbit/s
> +-+-+-
Hi Fabien,
Is it possible a stale nfacctd is still running and bound to the port?
Or that on the system there is also a pmacct from packages? If neither
of these would be the case then i'd be puzzled myself and would be happy
to have a look at the issue myself.
Cheers,
Paolo
On Tue, Mar 22,
Hi Andy,
Great to read you here.
Can you say what version of pmacct you are using? Also, having an
handful of your sFlow packets in a trace in libpcap format would
immensely help me reproducing the issue (and/or recommending the
right knobs in the config). Any chance you can provide that to me,
Hi Paul,
Configuration looks good, yes. Any anomaly you may notice, don't
hesitate to ping me directly for furhter troubleshooting. Wrt the
multiple interfaces: since you have the sfprobe_ifindex in, i can't
recommend towards an 'interface: any' kind of config (which would
allow you to do all
; Thanks,
> -/-Derrick
>
> On Thu, Mar 3, 2016 at 4:47 PM, Derrick Sawyer <sawye...@gmail.com> wrote:
>
> > Hi Paolo,
> > Opps ;) I forgot about that. That did the trick! The bgp agent mapping
> > config with dual v4/v6 sessions seems to be the ke
LISTEN
> 13006/sfacctd: Core
>
> Do I need to set the remote port to 1790? I tried to connect to 179 on the
> local IPv6 address but get a connection refused.
>
> Any insight will be much appreciated.
>
> Thanks,
> -/-Derrick
>
>
>
> On Thu, Mar 3,
Hi Derrik,
Is it a good assumption the package was compiled with "--enable-ipv6",
correct? Also, are you sending v4 and v6 AFs over a v4 BGP session or
you have two BGP sessions, one v4 and one v6? What is the content of
the file pointed by bgp_agent_map? Last question for this round: do
you see
Hi Raphael,
Good point you raise: legacy is never a good reason but that's the reason;
ideally amqp_user and amqp_passwd should be added to the configuration
struct in cfg.h and all should be pointed to those. It's the same for a
few other cases (not many fortunately), like the output filename of
Hi Vincent,
Inline:
On Tue, Mar 01, 2016 at 11:06:39AM +0100, Vincent Bernat wrote:
> > Can I add it through the use of libnetfilter-log? Or do you want it
> > without any external dependencies? I already did a couple of daemons
> > with libnetfilter-log.
First off, it would be wonderful if
Hi Vincent,
You are right with your assumption. Support of NFLOG has been requested,
ie. to support IPv6, but is still pending and i don't have it currently
on my radar (ie. 1.6.0 / 1.6.1).
Cheers,
Paolo
On Mon, Feb 29, 2016 at 05:55:51PM +0100, Vincent Bernat wrote:
> ??? 26 f??vrier 2016
Hi TC,
I would simply not recommend to run both sFlow and NetFlow on the same
port; the only way possible is the one you mention in your last email:
use a replicator to feed the actual daemons; but it seems too involved
to me if you do not have strong reasons for it (technical limitations or
Hi TC,
Consider nfacctd and sfacctd do not use libpcap in order to read
the incoming NetFlow/IPFIX and sFlow packets respectively; only
pmacctd uses libpcap. This is why you can't let both nfacctd and
sfacctd bind to the same port and IP address.
Cheers,
Paolo
On Thu, Feb 25, 2016 at
Hi Nicolas,
Support for sFlow counters was introduced in 1.5.2 and made more robust
in 1.5.3. However consider this is interface counter stats; the host sFlow
structs is currently not supported - we can think about it if there is
interest around it. Same applies to the agent side of the things,
Hi Franz,
Yes, it's no problem if, in general, two processes running libpcap
are binding to the same interface. You can in fact not only have any
two pmacctd binding there, but also a pmacctd and a tcpdump, etc.
Cheers,
Paolo
On Tue, Feb 23, 2016 at 01:23:29PM +0100, fboehm wrote:
> Hi,
>
> I
>
> On 18/01/2016 20:14, Robin Douine wrote:
> > Hi Paolo,
> >
> > I'll be back to you as early as possible.
> >
> > Best regards
> >
> > On 18/01/2016 06:16, Paolo Lucente wrote:
> >> Hi Robin,
> >>
> >> To say this is now
Hi Pau,
On the sampling part: this is not supported but for a good reason, i
would say. Sampling is, yes, about sending less data over but also
about being able to renormalize data using some math; sampling packets
passing via an interface makes sense; dropping some well-formed NetFlow
packets
Hi Mario,
Wrt the balancing algorithm & templates. Definitely the round-robin
balancing algorithm is suitable only for - pass me the term - non-
contextual protocols/protocol versions (ie. sFlow and NetFlow v5);
NetFlow v9/IPFIX, which are template-based, require the 'hash-agent'
one where the IP
Hi,
>
> Some time ago I asked about converting IPFIX to NetFlow v5/v9. Is it
> possible now?
>
> 2014-11-27 15:17 GMT+03:00 Paolo Lucente <pa...@pmacct.net>:
> > Hi Eugene,
> >
> > Translation of protocols and protocol versions is not supported by
&g
timelines.
Cheers,
Paolo
On Mon, Jan 18, 2016 at 05:22:21AM +, Paolo Lucente wrote:
> Hi Thomas,
>
> Thanks for bringing this up. This is on my todo list for some time
> due to the aging status of L7-Filter; please anybody using pmacctd/
> uacctd add your voice to this
Hi Steve,
Is it possible nfacctd is not configured as RR client on the routers and
hance it is getting only partial routes?
Cheers,
Paolo
On Fri, Feb 05, 2016 at 01:36:49PM -0700, Steve Dodd wrote:
> I?m having an issue where a large number of flows aren?t populating with
> src_as/dst_as
Hi Jordan,
A feature to map MACs to ASNs, ie. equivalent to the networks_file
that does IP (prefixes) to ASNs, is not currently available - just
to confirm. Adding it needs a bit of work but it's not a big deal,
definitely achievable.
The workaround i can propose is to pass through the
Hi Will,
Absolutely reat to hear; as Kafka support is in its infancy in
pmacct, please keep me posted for any issues (or requests).
Yes, since December the code is now on GitHub and it's not anymore
a mirror of the CVS repository; Job Snijders helped massively to
make this happen. It was right
is appreciated.
>
> Thanks,
> Javier
>
> On Sat, Jan 16, 2016 at 8:28 AM, Paolo Lucente <pa...@pmacct.net> wrote:
>
> >
> > Hi Javier,
> >
> > What version of the MongoDB c driver are you using? It is possible
> > you are using som
he amqp plugin.
>
> Best regards
>
> On 05/11/2015 04:59, Paolo Lucente wrote:
> > Hi Robin,
> >
> > Thanks for your kind words.
> >
> > About sFlow counters: you are right, currenty only streamed output to
> > files is supported - no AMQP or Kafka
VERSION.
1.5.3
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to account, classify,
aggregate, replicate and export IPv4 and IPv6 traffic; a pluggable architecture
allows to store collected data into memory tables, RDBMS (MySQL, PostgreSQL,
SQLite), noSQL databases
To wrap-up on this. Bug was confirmed, reproduced and fixed. Fix has been
also tested working by Ed. Log of the commit is here:
https://github.com/pmacct/pmacct/commit/6d518f4a2b0e808ae89e2b896fa3c0ba2c3fc64b
Cheers,
Paolo
On Thu, Jan 07, 2016 at 11:00:43PM +, Paolo Lucente wrote:
> Hi
/gravitizer/bin/monitor.pl
> print_output_file_append: true
> !
> nfacctd_port: 2055
>
> Thanks,
>
> Ed
>
> On Thu, Jan 7, 2016 at 4:20 PM, Paolo Lucente <pa...@pmacct.net> wrote:
>
> > Hi Ed,
> >
> > You mean you kind of just upgraded to 1.5.2
Hi Javier,
Is it possible you are using a MongoDB C driver >= 0.9? Currently,
pmacct only supports the legacy C driver (up to release 0.8.1); it
can be found here:
https://github.com/mongodb/mongo-c-driver-legacy
I just realize now that URLs may have changed and hence docs need
a refresh.
Hi Harry,
Your nfacctd config looks OK; i tried to reproduce in lab (although i
have availability of PostgreSQL 9.1 instead of 9.4 i don't think it's
making an actual difference) without success. Any chance i can debug
this on your box? If yes, we can follow-up privately for the details.
In
, 2015 at 09:43:28PM +0100, Radu Anghel wrote:
> Hi Paolo,
>
> Thank you for your answer.
>
> For me it is not urgent as I am just starting with this, but it
> would be really useful in the future.
>
> Best wishes,
>
> Radu
>
>
> On 20.12.2015 15:57, Paol
Hi Radu,
You are right: sequence number is not a natively supported primitive
and, since it's part of the header and not of the flow record, it is
not possible to leverage the aggregate_primitives framework either.
This said, writing native support for the sequence number is not a
super big
Hi Ruben,
I'm with you. Let me investigate and come back to you on this.
Cheers,
Paolo
On Wed, Dec 16, 2015 at 08:46:22PM +0100, Ruben Laban wrote:
> Hi,
>
> The setting files_umask is only used for files created by pmacctd,
> and not for directories created by pmacctd. One can argue that that
his value instead of print_refresh_time one.
>
> Seems like this explanation isn't exactly true anymore, as
> print_refresh_time was already defined.
>
> Anyways, I'm glad this is now working as expected again and I can
> continue with this (small) implementation.
>
> Re
Hi Ruben,
It should be just matter of adding print_history to your config,
ie. 'print_history: 5m' for 5 mins time-bins.
Cheers,
Paolo
On Mon, Dec 14, 2015 at 01:12:27PM +0100, Ruben Laban wrote:
> Hi,
>
> Today I ran into an issue with pmacctd which feels familiar, but I
> can't remember how
Hi Vadim,
Thanks for getting in touch. Was wondering the purpose of your
feature request. Like, if you just think ZeroMQ would be a nice
addition to the current messaging options in pmacct (RabbitMQ and
Kafka); or if actually you want to inject data from pmacct into
ntopng.
In case of the
Hi Thomas,
I ack the fact pmacct is not handling any post* field types for bytes
and packets count. Can we follow-up privately on this; i would need
two things: 1) a trace of the NetFlow packets (including templates)
so to be able to replay it in lab; 2) a better explanation of what to
do with
t's bridged and the bridge has the ip is ok, too.
>
> Maybe it's possible to change the severity of the allocate memory
> message to ERROR in one of the next releases.
>
> Nevertheless, this needs to be said: Paolo, you did really great work.
> Really cool software and thank you for
Hi Sergey,
For template ID you mean flowset ID? If yes, then you can use a
pre_tag_map and the flowset_id directive to tag session start/
session end differently. Then a pre_tag_filter can be used to
direct different tags to different plugins, ie. because you want
to log them in different
Hi Andreas,
The issue should not be connected at all to plugin_pipe_size and
plugin_buffer_size sizes - did you find a link between the issue
and these config directives somewhere in the archives?
This may be more connected to sql_cache_entries (although you seem
to have it configured already
Hi Horst,
This is expected because you use pmacctd, the libpcap-based daemon.
Libpcap has the beauty of being portable but has the drawback to not
have much insight into the underlying OS - hence interfaces are not
populated. You may achieve that with uacctd, the ULOG-based daemon.
An alternative
Hi Thomas, Mario,
Mario is right with his suggestion. Shall any of you have interest
in troubleshooting the root cause why renormalization is not happening
'automagically' out of NetFlow data, feel free to ping me offline; it
will require a snapshot of your NetFlow data for inspection and replay
Hi Edward,
Mario is right.
Plus you can set nfacctd_time_new to true to make nfacctd use the time
of arrival at the collector (rather than individual flow start times)
for time binning. This approach will be less precise than using flow
start times; a few considerations at this propo: 1) if flow
Hi Manfred,
That amqp_tcp_socket.h file is part of rabbitmq-c , the RabbitMQ C
API/driver. You can find it here: https://github.com/alanxz/rabbitmq-c/
Can you confirm you have it installed? Also: you seem to suggest you
are upgrading from an earlier version of pmacct - is this the case?
Was that
e filters, for
> readability and managability ?
> Or is this performance wise a bad idea ?
>
>
> Does the pre_tag_filter have any CPU load we should care for ?
>
>
>
> Thanks !
>
> Best regards,
>
> Wouter
>
>
>
>
>
>
> -Original Messag
Hi Wouter,
Great to read from you!
I should be correct that the amount of your supernets is manageable
to put in a pcap-style filter. Plus the set of supernets should not
change much. In such a case you could use a pre_tag_map like:
tag=666 filter=
Then in your config file:
...
!
pre_tag_map:
VERSION.
1.5.2
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to account, classify,
aggregate, replicate and export IPv4 and IPv6 traffic; a pluggable architecture
allows to store collected data into memory tables, RDBMS (MySQL, PostgreSQL,
SQLite), noSQL databases
Hi Fabien,
Thanks for confirming geoipv2 seems to run perfectly - as 1.5.2 is just
about to be released this is an important data point.
Wrt the warning message that you mention: that is definitely coming from
the Maxmind library: it is returning a code different than MMDB_SUCCESS
on some
Hi Ruben,
Your email is very timely and i understand such fluctuations between low
and high traffic periods can happen in a libpcap deployment. A new feature
that has been introduced as part of 1.5.2 (which is currently in the CVS
and about to be released) is passing buffers inside pmacct - so
301 - 400 of 960 matches
Mail list logo
