Re: [pmacct-discussion] monitoring multiple network interfaces

[Paolo Lucente]

Hi Ross,

This same setup works well on a Linux for example. I see you
daemonize both pmacctd daemons. Can you please keep them in
foreground instead (daemonize: false) so that you can catch
what happens? 

Cheers,
Paolo

On Thu, Sep 23, 2010 at 01:06:58PM -0700, Ross Lawrie wrote:
 Hi,
 
 I'm trying to set pmacct up on an OpenBSD 4.7 server running PF for its
 firewall such that I can monitor traffic on each of my networks.  From
 the articles I've read in the wiki and in mailing lists the easiest way
 to do this is to run multiple instances of pmacctd.  The problem I'm
 having is that processes after the first one don't seem to generate
 data.
 
 For example, using the following two commands to start pmacctd:
 
 /usr/local/sbin/pmacctd -f /etc/pmacct/pmacctd_dmz.conf
 /usr/local/sbin/pmacctd -f /etc/pmacct/pmacctd_internal.conf
 
 Here are the associated config files:
 
 !
 ! pmacctd_dmz.conf
 !
 debug: false
 daemonize: true
 interface: em1
 plugin_buffer_size: 2048
 plugin_pipe_size: 2048000
 networks_file: /etc/pmacct/networks.def
 plugins: memory[dmzin], memory[dmzout]
 aggregate[dmzin]: dst_host
 aggregate[dmzout]: src_host
 imt_path[dmzin]: /tmp/dmz-in.pipe
 imt_path[dmzout]: /tmp/dmz-out.pipe
 
 !
 ! pmacct_internal.conf
 !
 debug: false
 daemonize: true
 interface: ste0
 plugin_buffer_size: 2048
 plugin_pipe_size: 2048000
 networks_file: /etc/pmacct/networks.def
 plugins: memory[intin], memory[intout]
 aggregate[intin]: dst_host
 aggregate[intout]: src_host
 imt_path[intin]: /tmp/internal-in.pipe
 imt_path[intout]: /tmp/internal-out.pipe
 
 Using pmacct -s -p pipe I'm able to see data for whichever I start
 first, however I get errors on the second started.  Sometimes one or
 both of the pipes belonging to the second process aren't created, if
 they are created I get an error when trying to read from them:
 
 pmacct -s -p /tmp/dmz-out.pipe 
 INFO: Connection refused while trying to connect to '/tmp/dmz-out.pipe'
 
 Hopefully someone can see whatever I'm missing here.  The version of
 pmacct installed is 0.12.0 in case that's relevant.
 
 Thanks,
 
 Ross Lawrie
 
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Source port column name depends on database

[Paolo Lucente]

Hi Chris,

Agree. I seem to reckon this legacy issue is limited to the TCP/UDP
ports only and i'm thinking perhaps the best way to approach it is
to issue a true/false config switch, ie. sql_table_compat, for the
purpose. But for consistency with the rest, these fields should be
aligned to port_src and port_dst. Agree?

Cheers,
Paolo


On Mon, Sep 13, 2010 at 11:14:18AM +0200, Chris Wilson wrote:
 Hi all,
 
 We just had a bug report in pmGraph because it assumed that the source 
 port database column was called src_port always, as it is in MySQL. The 
 user is using a postgres database, and it appears that the column is 
 called port_src there instead:
 
 if (!strcmp(config.type, mysql) || !strcmp(config.type, sqlite3)) 
 {
   strncat(insert_clause, src_port, SPACELEFT(insert_clause));
   strncat(where[primitive].string, src_port=%u, 
 SPACELEFT(where[primitive].string));
 }
 else {
   strncat(insert_clause, port_src, SPACELEFT(insert_clause));
   strncat(where[primitive].string, port_src=%u, 
 SPACELEFT(where[primitive].string));
 }
 
 I would be much happier writing database-independent code around 
 pmacct if it didn't do things like this.
 
 I understand that there is a backwards compatibility issue with changing 
 it, but perhaps it could be done in a new version of the mysql or postgres 
 schema?
 
 Cheers, Chris.
 -- 
 Aptivate | http://www.aptivate.org | Phone: +44 1223 760887
 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES
 
 Aptivate is a not-for-profit company registered in England and Wales
 with company number 04980791.
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] duplicates...

[Paolo Lucente]

Hi Thomas,

What matters is really how many 'src_host, dst_host' aggregates
are generated out of the traffic. Predicting for me is difficult
but you can turn sql_dont_try_update to false (so that it doesn't
complain about duplicates anymore for the sake of this test) and
see whether during the sql_refresh_time time-span you are pushing
more than 256K aggregates to the database. Verification is to run
a query like the following against the database:

SELECT COUNT(*) AS aggregates, stamp_inserted 
FROM acct
GROUP BY stamp_inserted;

Cheers,
Paolo

On Sun, Sep 12, 2010 at 05:59:20PM +, Thomas Raabo - ZitCom A/S wrote:
 r...@mgmt5 examples]# top
 top - 19:31:01 up 4 days,  9:24,  5 users,  load average: 0.12, 0.08, 0.07
 Tasks: 202 total,   1 running, 201 sleeping,   0 stopped,   0 zombie
 Cpu(s):  0.0%us,  0.0%sy,  0.0%ni, 99.9%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
 Mem:  24675552k total,  3611064k used, 21064488k free,   312036k buffers
 Swap:  3124632k total,  260k used,  3124372k free,  1490888k cached
 
 We are running about 400mbit of traffik average with netflow exporting  6000 
 flow/sec
 
 What sql_cache_entries do you recommend?
 
 
 Thomas
 
 
 
 -Oprindelig meddelelse-
 Fra: pmacct-discussion-boun...@pmacct.net 
 [mailto:pmacct-discussion-boun...@pmacct.net] P? vegne af Paolo Lucente
 Sendt: 12. september 2010 01:32
 Til: pmacct-discussion@pmacct.net
 Emne: Re: [pmacct-discussion] duplicates...
 
 Hi Thomas,
 
 This very likely answers why you are not seeing all you expect in the 
 database. Reason you get duplicates is pmacct is trying to insert into the 
 database more than once per 600 seconds (as per your configuration) and 
 sql_dont_try_update is set to true.
 
 So quickest work-around is to set sql_dont_try_update to false; but i guess 
 it's good to spend some efforts to understand why pmacct is behaving like 
 that. The cause safe action gives a pointer and it's due to one of the two 
 following reasons:
 
 * There are too many 'src_host, dst_host' aggregates for the
   configured sql_cache_entries value. This should be excluded
   as only 500-600 entries are to be inserted while the config
   would allow for sql_cache_entries entries (256K). But, it
   could be it stops on the first of a series of INSERTs, so
   there is more data to dump. Knowing your environment, you
   can ultimately comment whether the 256K value is good or
   not.
 
 * The system is short of memory (or the OS limits the amount
   of memory the pmacct process(es) can allocate); so at some
   stage pmacct asks for a new chunk of memory to insert a new
   entry in the SQL cache and it's not able to get it; this
   results in pmacct purging the cache content in an effort
   to make room to new data. Please check whether this can be
   the case.
 
 Let me know.
 
 Cheers,
 Paolo
 
 
 On Sat, Sep 11, 2010 at 05:49:17PM +, Thomas Raabo - ZitCom A/S wrote:
  Once every 10 min iam getting some errors
  
  DEBUG ( default/mysql ): purging process (CAUSE: safe action) ( 
  default/mysql ) *** Purging cache - START *** DEBUG ( default/mysql ): 
  568 VALUES statements sent to the MySQL server.
  ERROR ( default/mysql ): Duplicate entry 
  '0-unknown-0:0:0:0:0:0-0:0:0:0:0:0-0-0-0-188.176.68.71-194.182.12' for key 
  'PRIMARY'
  
  DEBUG ( default/mysql ): purging process (CAUSE: safe action) ( 
  default/mysql ) *** Purging cache - START *** DEBUG ( default/mysql ): 
  569 VALUES statements sent to the MySQL server.
  ERROR ( default/mysql ): Duplicate entry 
  '0-unknown-0:0:0:0:0:0-0:0:0:0:0:0-0-0-0-91.100.100.103-94.231.97' for key 
  'PRIMARY'
  
  DEBUG ( default/mysql ): purging process (CAUSE: safe action) ( 
  default/mysql ) *** Purging cache - START *** DEBUG ( default/mysql ): 
  565 VALUES statements sent to the MySQL server.
  ERROR ( default/mysql ): Duplicate entry 
  '0-unknown-0:0:0:0:0:0-0:0:0:0:0:0-0-0-0-94.231.102.73-95.166.47.' for key 
  'PRIMARY'
  
  My config
  
  ! nfacctd configuration example
  !
  ! Did you know CONFIG-KEYS contains the detailed list of all 
  configuration keys ! supported by 'nfacctd' and 'pmacctd' ?
  !
  debug: true
  !daemonize: true
  
  aggregate: tag, src_host, dst_host
  plugin_pipe_size: 4096
  plugin_buffer_size: 40960
  nfacctd_port: 9000
  
  ! nfacctd_time_secs: true
  
  nfacctd_time_new: true
  
  plugins: mysql
  
  sql_db: pmacct
  sql_table: acct
  sql_table_version: 2
  sql_passwd: *
  sql_user: root
  sql_refresh_time: 600
  sql_multi_values: 10
  sql_dont_try_update: true
  sql_cache_entries: 256000
  ! sql_optimize_clauses: true
  sql_history: 10m
  sql_history_roundoff: mh
  
  Thomas
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http

Re: [pmacct-discussion] duplicates...

[Paolo Lucente]

Hi Thomas,

This very likely answers why you are not seeing all you expect
in the database. Reason you get duplicates is pmacct is trying
to insert into the database more than once per 600 seconds (as
per your configuration) and sql_dont_try_update is set to true.

So quickest work-around is to set sql_dont_try_update to false;
but i guess it's good to spend some efforts to understand why
pmacct is behaving like that. The cause safe action gives a
pointer and it's due to one of the two following reasons:

* There are too many 'src_host, dst_host' aggregates for the
  configured sql_cache_entries value. This should be excluded
  as only 500-600 entries are to be inserted while the config
  would allow for sql_cache_entries entries (256K). But, it
  could be it stops on the first of a series of INSERTs, so
  there is more data to dump. Knowing your environment, you
  can ultimately comment whether the 256K value is good or
  not.

* The system is short of memory (or the OS limits the amount
  of memory the pmacct process(es) can allocate); so at some
  stage pmacct asks for a new chunk of memory to insert a new
  entry in the SQL cache and it's not able to get it; this
  results in pmacct purging the cache content in an effort
  to make room to new data. Please check whether this can be
  the case.

Let me know.

Cheers,
Paolo


On Sat, Sep 11, 2010 at 05:49:17PM +, Thomas Raabo - ZitCom A/S wrote:
 Once every 10 min iam getting some errors
 
 DEBUG ( default/mysql ): purging process (CAUSE: safe action)
 ( default/mysql ) *** Purging cache - START ***
 DEBUG ( default/mysql ): 568 VALUES statements sent to the MySQL server.
 ERROR ( default/mysql ): Duplicate entry 
 '0-unknown-0:0:0:0:0:0-0:0:0:0:0:0-0-0-0-188.176.68.71-194.182.12' for key 
 'PRIMARY'
 
 DEBUG ( default/mysql ): purging process (CAUSE: safe action)
 ( default/mysql ) *** Purging cache - START ***
 DEBUG ( default/mysql ): 569 VALUES statements sent to the MySQL server.
 ERROR ( default/mysql ): Duplicate entry 
 '0-unknown-0:0:0:0:0:0-0:0:0:0:0:0-0-0-0-91.100.100.103-94.231.97' for key 
 'PRIMARY'
 
 DEBUG ( default/mysql ): purging process (CAUSE: safe action)
 ( default/mysql ) *** Purging cache - START ***
 DEBUG ( default/mysql ): 565 VALUES statements sent to the MySQL server.
 ERROR ( default/mysql ): Duplicate entry 
 '0-unknown-0:0:0:0:0:0-0:0:0:0:0:0-0-0-0-94.231.102.73-95.166.47.' for key 
 'PRIMARY'
 
 My config
 
 ! nfacctd configuration example
 !
 ! Did you know CONFIG-KEYS contains the detailed list of all configuration 
 keys
 ! supported by 'nfacctd' and 'pmacctd' ?
 !
 debug: true
 !daemonize: true
 
 aggregate: tag, src_host, dst_host
 plugin_pipe_size: 4096
 plugin_buffer_size: 40960
 nfacctd_port: 9000
 
 ! nfacctd_time_secs: true
 
 nfacctd_time_new: true
 
 plugins: mysql
 
 sql_db: pmacct
 sql_table: acct
 sql_table_version: 2
 sql_passwd: *
 sql_user: root
 sql_refresh_time: 600
 sql_multi_values: 10
 sql_dont_try_update: true
 sql_cache_entries: 256000
 ! sql_optimize_clauses: true
 sql_history: 10m
 sql_history_roundoff: mh
 
 Thomas

 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] [nfacctd] aggregate_filter

[Paolo Lucente]

Hi Borys,

I can confirm you filtering on TCP flags is currently not possible
in both nfacctd and sfacctd. Such implementation is not major work
and can be done pretty quickly - i can drop you an email privately
when the code is available in the CVS so you can test it working?

Apart from the above, just to be on the same page, you are already
sure TCP flags in NetFlow will work for your scenario? NetFlow ORs
all the TCP flags seen for a certain uni-directional flow up to the
moment it's set for expiration. So if counting flags, for example,
you should not seek for a full match but rather test with a logical
AND.

Cheers,
Paolo

 
On Tue, Aug 24, 2010 at 05:47:33PM +0200, Borys Owczarzak wrote:
 Hi!

 I would like to logging some traffic to database:
 TCP packets with flags SYN or FIN or RST to table kancelaria
 UDP packets (1-of-100) to table dupa
 ICMP packets (1-of-100) to table icmp.

 My test configuration:
 !START CONFIGURATION
 daemonize: true
 pidfile: /var/run/pmacctd.pid
 syslog: daemon
 !FOR PMACCTD USE PROMISC: TRUE
 !promisc: true
 !FOR NFACCTD USE NFACCTD_PORT: 2055
 nfacctd_port: 2055
 interface: eth2
 aggregate[kancelaria]: src_host, dst_host, src_port, dst_port, tcpflags
 aggregate[dupa]:src_host, dst_host, src_port, dst_port
 aggregate[icmpe]:src_host, dst_host, src_port, dst_port
 aggregate_filter[kancelaria]: tcp[tcpflags]  (tcp-syn) != 0 ||  
 tcp[tcpflags]   (tcp-fin) !=0 || tcp[tcpflags]   (tcp-rst) !=0
 aggregate_filter[dupa]: udp
 aggregate_filter[icmpe]: icmp
 sampling_rate[icmpe]:100
 sampling_rate[dupa]:100
 plugins: mysql[kancelaria], mysql[dupa], mysql[icmpe]
 sql_db: pmacct
 sql_optimize_clauses: true
 sql_table[dupa]: dupa
 sql_table[kancelaria]: kancelaria
 sql_table[icmpe]: icmpe
 sql_user: root
 sql_passwd: regedit4
 sql_dont_try_update: true
 sql_refresh_time: 1
 sql_history: 1d
 !STOP CONFIGURATION

 I try it at pmacctd and nfacctd. When I use pmacct everything works  
 great. But problem is with nfacctd. It does not save data to kancelaria  
 table. When I erase from configuration aggregate_filter[kancelaria]:  
 when it saves packet.

 Somebody know why nfacct has got problem with these aggregate_filter?

 PS aggregate_filter[dupa] and aggregate_filter[icmpe] wors correctly.

 Kind regards
 Borys Owczarzak

 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] cockpit error instrumenting www.pmacct.net/docs/cacti.html?

[Paolo Lucente]

Hi Larry,

Wanted just to say briefly the best person to support you is the author
of that document (which btw is not on this list and not really reachable
recently). I can't help you with that as i'm not too much into Cacti and
pmacct seems to return expected results. 

I'm certainly available to collect feedback on that document and edit it
accordingly. Perhaps is an idea to move it to the wiki so that everybody
is potentially able to modify it.

Cheers,
Paolo


On Thu, Aug 12, 2010 at 09:39:38AM -0500, Larry Vaden wrote:
 First, thanks for the great software.
 
 2nd, feel free to direct me to another list if that should be the case.
 
 Following the example at http://www.pmacct.net/docs/cacti.html, the
 result is the infamous RED X (missing file) rather than the expected
 graph.
 
 Centos 4.8, up to date, using pmacct-0.12.3 and cacti-0.8.7.e (g won't
 run at the moment on CentOS 4.8).
 
 nfacctd is started with (as root)
 
 /usr/local/sbin/nfacctd -f /usr/local/etc/pmacctd.conf
 
 and the contents of /usr/local/etc/pmacctd.conf follow at the end of this 
 post.
 
 The permission on the /tmp/in.pipe and /tmp/out.pipe are as follows
 
 [r...@saguaro cacti]# ls -l /tmp
 total 16
 drwxr-xr-x  3 root   root   4096 Aug  6 12:27 cactiupgrade
 srwxrwxrwx  1 root   root  0 Aug 12 09:18 in.pipe
 srwxrwxrwx  1 root   root  0 Aug 12 09:18 out.pipe
 
 
 'pmacct -s -p /tmp/in.pipe' and 'pmacct -s -p /tmp/out.pipe' return
 the expected results when run as root.
 
 [cactiu...@saguaro ~]$ pmacct -s -p /tmp/in.pipe
 
 and
 
 [cactiu...@saguaro ~]$ pmacct -s -p /tmp/out.pipe
 
 and (after 'su - apache')
 
 -bash-3.00$ pmacct -s -p /tmp/in.pipe
 
 and
 
 -bash-3.00$ pmacct -s -p /tmp/out.pipe
 
 produce the expected results.
 
 There is no sign of the expected files in /var/www/html/cacti/rra:
 
 [r...@saguaro cacti]# ls -l /var/www/html/cacti/rra/localhost*
 -rw-r--r--  1 cactiuser apache 3651280 Aug 12 09:30
 /var/www/html/cacti/rra/localhost_load_1min_5.rrd
 -rw-r--r--  1 cactiuser apache 1218368 Aug 12 09:30
 /var/www/html/cacti/rra/localhost_mem_buffers_3.rrd
 -rw-r--r--  1 cactiuser apache 1218368 Aug 12 09:30
 /var/www/html/cacti/rra/localhost_mem_swap_4.rrd
 -rw-r--r--  1 cactiuser apache 1218368 Aug 12 09:30
 /var/www/html/cacti/rra/localhost_proc_7.rrd
 -rw-r--r--  1 cactiuser apache 8517104 Aug  6 12:20
 /var/www/html/cacti/rra/localhost_rrdsprocessed_8.rrd
 -rw-r--r--  1 cactiuser apache 2434824 Aug  6 12:20
 /var/www/html/cacti/rra/localhost_total_9.rrd
 -rw-r--r--  1 cactiuser apache 1218368 Aug 12 09:30
 /var/www/html/cacti/rra/localhost_users_6.rrd
 [r...@saguaro cacti]#
 
 The contents of /usr/local/etc/pmacctd.conf:
 
 [r...@saguaro cacti]# cat /usr/local/etc/pmacctd.conf
 !
 ! pmacct: In + Out
 !
 debug: false
 daemonize: true
 interface: eth0
 plugin_buffer_size: 2048
 plugin_pipe_size: 2048000
 networks_file: /usr/local/etc/networks.def
 ! temporarily remove mysql from plugins:
 plugins: memory[in], memory[out]
 aggregate[in]: dst_net
 aggregate[out]: src_net
 imt_path[in]: /tmp/in.pipe
 imt_path[out]: /tmp/out.pipe
 !
 nfacctd_port: 2055
 !
 sql_db: pmacct
 sql_table: acct
 sql_table_version: 7
 sql_passwd: redacted
 sql_user: pmacct
 ! from wiki OfficialExamples for sql optimization
 sql_refresh_time: 300
 sql_history: 5m
 sql_history_roundoff: m
 sql_dont_try_update: true
 
 Again, thanks for a great software!
 
 Kind regards/ldv
 
 Larry Vaden
 Internet Texoma, Inc.
 Serving Rural Texomaland Since 1995
 We Care About Your Connection!
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pmpgplay - what does it do?

[Paolo Lucente]

Hi Chris,

On Mon, Jul 26, 2010 at 10:03:15AM +1000, Chris wrote:

 So I'd be better off making these 2 match?

 sql_refresh_time: 60
 sql_history: 5m

Correct.

 For what it's worth the log seems to be aggregated on the history time.  
 I only see the 5 min increments when I run pmpgplay in debug mode.

Yes, this is because you get logged down the exact tuple that was going
to be written to the database. And records in the database are fitted in
time bins as per the sql_history parameter. 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pmpgplay - what does it do?

[Paolo Lucente]

Hi Chris,

The 'failsafe' mechanism (ie. writing to a backup database or to log
files) kicks in upon receipt of an error code from the RDBMS API. So
what you see in the log file should never be already in the database.

Your specific configuration is tricky because you write to the RDBMS
every 60 seconds but aggregate on 5 minutes time-bins and hence it's
not possible to determine for sure whether a record is contributing
or not to a certain aggregate. Only work-around i can think of for
your case is to permanenly enable debug in pmacct (or logging in the
RDBMS) so that it's possible, at any moment, to know which queries
have been performed. This at the expense of slightly more resources.

If using default SQL schemas and an INSERT-only scenario, to protect
against duplicates, you could have simply appended the '-i' option
to pmpgplay to disable UPDATE SQL queries. Logics is explained here:

http://wiki.pmacct.net/CustomizingTheSqlIndexes

Cheers,
Paolo


On Fri, Jul 23, 2010 at 11:53:53AM +1000, Chris wrote:
 Hi,

 I'm using pmacct-0.12.0rc3 with postgresql.

 I've been trying to work out what pmpgplay does when it looks at a log  
 file. I couldn't find much in my searches that go into the details of  
 how it does things.

 It seems it generates a bunch of sql, but does it check to see if that  
 record exists already before applying the change?

 I'm worried about replaying the log and it double-recording data (ie the  
 data is already recorded in the db, and then replaying the log does it  
 again), or will it only apply new records that it can't find in the db?

 I have a missing chunk of data from my database (about 1.5 hrs worth)  
 that I can see in the logs, but the log is surrounded by data that could  
 be in the database (I haven't checked each individual log entry).

 Relevant pmacct.conf info:

 plugin_pipe_size:1024000
 plugin_buffer_size:8192
 imt_buckets: 65537
 imt_mem_pools_size: 1024000

 sql_table_version:1
 sql_refresh_time: 60
 sql_history: 5m

 Any information is much appreciated, thanks!

 -- 
 Postgresql  php tutorials
 http://www.designmagick.com/


 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] [nfacctd] IPv4/IPv6 Accounting into MySQL

[Paolo Lucente]

Hi Carsten,

A couple of things come to mind:

* Was pmacct compiled with --enable-ipv6 ?
* Are 'aggregate_filter' directives including the IPv6 subnets you
  want to account for? 
* If, in parallel to nfacctd, you fire up a Wireshark (or tshark);
  by decoding the NetFlow v9 datagrams generated by the probe, can
  you spot the IPv6 records being sent over to the collector? 

Basing on the answers to the above questions, we can drill it down
further. 

Cheers,
Paolo


On Fri, Jul 23, 2010 at 07:00:00PM +0200, InterNetX - Carsten Schoene wrote:
 Hello List,
 
 i've setup a nfacctd instance which writes data into mysql, the configuration 
 looks like this:
 
 daemonize: true
 pidfile: /var/run/nfacctd.pid
 syslog: daemon
 plugin_pipe_size: 1024
 plugin_buffer_size: 10240
 nfacctd_ip: %MY_NFACCTD_HOST%
 nfacctd_port: 5552
 nfacctd_allow_file:/etc/pmacct/nfacctd.allow
 nfacctd_time_new: true
 plugins: mysql[in], mysql[out]
 
 aggregate[in]: dst_host
 aggregate[out]: src_host
 aggregate_filter[in]: dst net %MYNETWORK_A%/18 or dst net %MYNETWORK_B%/19
 aggregate_filter[out]: src net %MYNETWORK_A%/18 or src net %MYNETWORK_B%/19
 
 sql_host:localhost
 sql_user:pmacct
 sql_passwd:*
 sql_optimize_clauses: true
 sql_refresh_time: 300
 sql_history: 5m
 sql_dont_try_update: true
 sql_history_roundoff: m
 sql_table_version: 7
 sql_table:acct_v7_%Y%m%d_%H00
 sql_table_schema:/etc/pmacct/mysql_v7_table.sql
 sql_recovery_logfile: /raid/nfacctd_recovery_log
 sql_multi_values: 16384000
 
 
 CREATE TABLE IF NOT EXISTS acct_v7_%Y%m%d_%H00 (
 id INT UNSIGNED NOT NULL AUTO_INCREMENT,
 ip_src CHAR(45) NOT NULL,
 ip_dst CHAR(45) NOT NULL,
 packets INT UNSIGNED NOT NULL,
 bytes BIGINT UNSIGNED NOT NULL,
 flows INT UNSIGNED NOT NULL,
 stamp_inserted DATETIME NOT NULL,
 stamp_updated DATETIME,
 PRIMARY KEY (id),
 KEY `src_dst_stamps` (ip_src, ip_dst, stamp_inserted, stamp_updated),
 KEY(ip_src),
 KEY(ip_dst)
 ) ENGINE=MyISAM;
 
 We are running nprobe which exports netflow v9 data using the following 
 netflow template:
 %IPV6_SRC_ADDR %IPV6_DST_ADDR %IPV4_SRC_ADDR %IPV4_DST_ADDR %LAST_SWITCHED 
 %FIRST_SWITCHED %IN_BYTES
 %OUT_BYTES %IN_PKTS %OUT_PKTS %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %TCP_FLAGS 
 %IP_PROTOCOL_VERSION
 %SRC_TOS %SRC_AS %DST_AS %IPV6_SRC_MASK %IPV6_DST_MASK %SRC_MASK %DST_MASK
 
 The problem is, that there are no IPv6 entrys written into the tables, only 
 ipv4 addresses.
 
 Any idea or help would be great
 
 Regards
 -- 
 Carsten Sch?ne
 Leiter Rechenzentrum
 
 InterNetX GmbH
 Maximilianstr. 6
 93047 Regensburg
 
 Tel.   +49 941 59559-480
 Fax   +49 941 59579-051
 
 www.internetx.com
 www.facebook.com/InterNetX
 www.twitter.com/InterNetX
 
 Gesch?ftsf?hrer/CEO: Thomas M?rz
 Amtsgericht Regensburg, HRB 7142
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Netflow and 'ip' key in pretag.map

[Paolo Lucente]

Hi Damian,

Are you running BGP? Would it be feasible for you to past BGP feed(s)
into pmacct (granted you run a recent 0.12 release or can upgrade to
that)? Idea is you can attach BGP standard communities to IP prefixes
as they are advertised or re-distributed into your network. Because
comunities are supported as primitives in pmacct (and you can filter
what you want to see and what should be thrashed instead), you might
even avoid the whole 'id2' section.

Just an idea. In case BGP is not an option: total number of mappings
defined isn't an issue. In this sense, to store 2K entries you should
make use of the pre_tag_map_entries directive (and set it above 2K).
Not very nice to see but it works and should be straightforward to
automate.

It's important though to keep the walks through the maps as short as
possible; so,

id=1 ip=X jeq=user_X
id=1 ip=Y jeq=user_Y
...
id=1 ip=Z jeq=user_Z
!
id=userid ip=X filter='...' label=user_X jeq=traffic_type_X
id=userid ip=Y filter='...' label=user_Y jeq=traffic_type_Y
...
id=userid ip=Z filter='...' label=user_Z jeq=traffic_type_Z
!
id2=1 ip=X filter='...' label=traffic_type_X jeq=next
...
id2=1 ip=Y filter='...' label=traffic_type_Y jeq=next
...
id2=1 ip=Z filter='...' label=traffic_type_Z jeq=next
...

Cheers,
Paolo


On Wed, Jul 21, 2010 at 11:33:38AM +1200, Damian Kissick wrote:
 
 [ ... ]
 
 So finally to the crux of the original question; on the single-router
 setup, netflow on the appropriate ingress and egress interfaces works
 and all the traffic is marked appropriately with a userid (tag) and
 traffic type (tag2).  But I know that upon adding the additional routers
 for the other traffic users, I will currently have to duplicate the id2
 mappings for each netflow agent's IP.  I am trying to find a way around
 that to keep the pretag.map efficient (or maybe ~500 networks x 4
 netflow agents for 2000 mappings is not actually too bad?)
 
 One solution that I am contemplating is to move away from netflow and
 enable sflow on our core switches which would keep the required
 duplication of mappings down.  Or, in the same way our current system
 collects traffic data, use mirror ports (on the core switches) and then
 use the pmacctd daemon instead.
 
 I suspect I am overlooking some more obvious solutions so I really
 appreciate pointers on this and if you or anyone sees other issues or
 better design tips for this, then I welcome the feedback.
 
 Cheers,
  - Damian

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] How many ips can pmacctd monitorize

[Paolo Lucente]

Hi,

Try performing a locked access to the memory table. This
can be done by appending a '-l' option to the command, ie.
pmacct -s -l -p  Let me know.

Cheers,
Paolo

On Thu, Jul 22, 2010 at 10:35:18AM +, Jose Joaquin Anton Herrerias wrote:
 I was Reading CONFIG-KEYS and internals documents but im doing something 
 wrong because the pmacct is stolen data.
 
 When I look into the table for the traffic of one ip I see that the 
 accumulate is stolen.
 
 # pmacct -s -p /tmp/host_in.pipe |grep 184.17
 XX.XXX.184.1751277   14929314
 # pmacct -s -p /tmp/host_in.pipe |grep 184.17
 XX.XXX.184.1753033   15176927
 # pmacct -s -p /tmp/host_in.pipe |grep 184.17
 XX.XXX.184.172803477449
 
 As you can see the bytes column is minor that before. The last time get 
 477449 when 10 seconds before has 15176927. My config is:
 
 !
 ! pmacct: In + Out
 !
 debug: false
 daemonize: true
 interface: eth1
 promisc: true
 syslog: kern
 imt_mem_pools_size: 12000
 imt_mem_pools_number: 20
 plugin_buffer_size: 20480
 networks_file: /etc/pmacct/networks2.def
 plugins: memory[net_in], memory[net_out], memory[host_in], memory[host_out]
 aggregate[net_in]: dst_net
 aggregate[net_out]: src_net
 aggregate[host_in]: dst_host
 aggregate[host_out]: src_host
 imt_path[net_in]: /tmp/net_in.pipe
 imt_path[net_out]: /tmp/net_out.pipe
 imt_path[host_in]: /tmp/host_in.pipe
 imt_path[host_out]: /tmp/host_out.pipe
 
  
 The traffic that I want to monitorize is 70 Mb out and 30 Mb In, is not to 
 much but im getting stolen data.
 
 Thanks for the help and sorry for my bad English.
 
 Best regards.
 
 Jose Joaqu??n Ant??n Herrer??as
 J jan...@abserver.es


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Error for building pmacct 0.12 from source

[Paolo Lucente]

Hi Rodolfo,

In addition to what Brent correctly said you might want to double
check whether you have development kit for MySQL installed at all
(libraries and headers). A chance can be you have got installed
only, say, MySQL client, server and tools.

Cheers,
Paolo

On Tue, Jun 22, 2010 at 12:01:03PM -0400, rodolfo mondion wrote:
 I ve downloaded the latest version of pmacct and trying with 2 linux
 distributions (ubuntu server 9.04 and 10 for i386) i get the same errors
 related to the librarie libmysqlclient
 
 when i make the ./configure --enable-mysql y get:
 
 checking default locations for libmysqlclient ... not found
 checking for mysql_real_connect in lmysqlclient  no
 configure: error:
  ERROR: missing Mysql client library. Refer to
 http://www.mysql.com
 
 I ve installed at the beginning of the server installation the LAMP option,
 i dont know if i must install mysql manually or if theres a problem with my
 mysql version (5.0.75)
 
 Thanks for ur help
 
 
 
 
 -- 
 Rodolfo Mondion R.


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Help as the sum of certain ips

[Paolo Lucente]

Hi Rafael,

Advice is to check out Q8 from FAQS, EXAMPLES document
chapter III, 'sql/README.pgsql' for initial SQL table
setup. It should be enough to work out initial configs.

Cheers,
Paolo


On Thu, Jun 17, 2010 at 05:14:12PM -0300, Rafael Stein wrote:
 Hello to all,
 
 I'm starting to use the system now and wanted to see how to generate the sum
 (input, output) of traffic from certain ips and play in postgres database.
 My idea is to keep updating the value in the database and not insert values.
 I appreciate the help.
 
 Rafael 




___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] data only in one direction

[Paolo Lucente]

Hi Morgan,

INTERNALS document is part of the pmacct distribution tarball
that you download (ie. pmacct-0.12.2.tar.g). Look into docs/.

Cheers,
Paolo


On Fri, Jun 18, 2010 at 08:35:53AM +0200, Morgan Sellier wrote:
 Hi,
 
 Thanks for your help !
 I will test it today but in the documentation I see : Read INTERNALS
 'Memory table plugin' chapter for further details. and I really don't know
 where is this chapter.
 
 Cheers,
 Morgan

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] inet Error

[Paolo Lucente]

Hi Jonathan,

It's a bit hard to say with this information. Can you post your config?
Are you using any of the default SQL schemas? Which options did you
compile the package?

Cheers,
Paolo


On Fri, Jun 11, 2010 at 01:11:23PM +1000, Jonathan Gleeson wrote:
 Hi Guys,

 Anyone got any idea on this one,

 ERROR ( in/pgsql ): ERROR: invalid input syntax for type inet: 
 LINE 1: ...5201)::Timestamp, ABSTIME(1276164900)::Timestamp, '', 4, 350...

 Happens every now and then not at a regular interval but a few times a
 day, when it does occur i loose around 1hours data. it looks like its
 trying to inset an empty set instead of null.

 any suggestions would be really helpful

 Regards,


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct 0.12.2 released !

[Paolo Lucente]

VERSION.
0.12.2


DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
account, classify, aggregate and export IPv4 and IPv6 traffic; a
pluggable architecture allows to store collected network data
into memory tables or SQL (MySQL, SQLite, PostgreSQL) databases
and export them through NetFlow or sFlow protocols to remote
collectors. pmacct supports fully customizable historical data
breakdown, BGP correlation, sampling, filtering, tagging and
triggers. Libpcap, Netlink/ULOG, sFlow v2/v4/v5 and NetFlow v1/
v5/v7/v8/v9 are supported, both unicast and multicast. It also
supports replication of incoming NetFlow and sFlow datagrams. A
client tool makes it easy to export data to tools like RRDtool,
GNUPlot, Net-SNMP, MRTG, and Cacti.


HOMEPAGE.
http://www.pmacct.net/


DOWNLOAD.
http://www.pmacct.net/pmacct-0.12.2.tar.gz


CHANGELOG.
+ A new 'tee' plugin is introduced bringing both NetFlow and sFlow
  replication capabilities to pmacct. It supports transparent mode
  (tee_transparent), coarse-grained filtering capabilities via the
  Pre-Tagging infrastructure. Quickstart guide is included as part
  of the EXAMPLES file (chapter XII).
+ nfprobe, sfprobe: introduced support for export of the BGP next-hop
  information. Source data selection for BGP next-hop is being linked
  to [pmacctd_as|uacctd_as] configuration directive. Hence it must be
  set to 'bgp' in order for this feature to work.
+ nfprobe, sfprobe, BGP daemon: new set of features (nfprobe_ipprec,
  sfprobe_ipprec, bgp_daemon_ipprec) allows to mark self-originated
  sFlow, NetFlow and BGP datagrams with the supplied IP precedence
  value.
+ peer_src_ip (IP address of the NetFlow emitter, agent ID of the
  sFlow emitter) and peer_dst_ip (BGP next-hop) can now be filled
  from NetFlow/sFlow protocols data other than BGP. To activate the
  feature nfacctd_as_new/sfacctd_as_new have to be 'false' (default
  value), 'true' or 'file'.
+ print plugin: introduced support for Comma-Separated Values (CSV)
  output in addition to formatted-text. A new print_output feature
  allows to switch between the two.
+ pmacctd: improved 802.1ad support. While recursing, outer VLAN is
  always reported as value of the 'vlan' primitive.
! fix, pmacctd: 802.1p was kept integral part of the 'vlan' value.
  Now a 0x0FFF mask is applied in order to return only the VLAN ID.
! fix, pkt_handlers.c: added trailing '\0' symbol when truncating
  AS-PATH and BGP community strings due to length constraints.
! fix, sql_common.c: maximum SQL writers warning message was never
  reached unless a recovery method is specifited. Thanks to Sergio
  Charpinel Jr for reporting the issue.
! fix, MySQL and PostgreSQL plugins: PGRES_TUPLES_OK (PostgreSQL)
  and errno 1050 (MySQL) are now considered valid return codes when
  dynamic tables are involved (ie. sql_table_schema). Thanks to
  Sergio Charpinel Jr for his support.
! fix, BGP daemon: pkt_bgp_primitives struct has been explicitely
  64-bit aligned. Mis-alignment was causing crashes when buffering
  was enabled (plugin_buffer_size). Verified on Solaris/sparc.


NOTES.


Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] PostgreSQL large database

[Paolo Lucente]

Hi Sergio,

It looks those processes are locked out of the table they want to
write to. In MySQL you can check this kind of stuff with a SHOW
PROCESSLIST; the PostgreSQL equivalent should be SELECT * FROM
pg_stat_activity. Its output might very well shed some light.

Just btw, the number of pmacct processes allowed to queue up is
settable via the sql_max_writers configuration directive.

Cheers,
Paolo


On Thu, May 13, 2010 at 10:04:14AM -0300, Sergio Charpinel Jr. wrote:
 Hi,
 
 After less than one day running pmacct, my database grew from 1.5G to 15G.
 At this point I get a lot of postmaster and nfacctd process, and none of
 them seems to be using CPU and not writting in DB.
 
  6774 root  15   0  160m 103m  916 S  0.0  0.9   0:04.04 nfacctd
  6775 postgres  15   0 2210m 1.3g 1.3g S  0.0 11.8   0:31.50 postmaster
  6784 root  15   0  160m 103m  916 S  0.0  0.9   0:04.19 nfacctd
  6785 postgres  16   0 2210m 1.1g 1.1g S  0.0  9.9   0:23.77 postmaster
  6794 root  15   0  160m 103m  916 S  0.0  0.9   0:02.81 nfacctd
  6795 postgres  15   0 2210m 1.1g 1.1g S  0.0  9.4   0:20.57 postmaster
  6804 root  15   0  160m 103m  916 S  0.0  0.9   0:02.04 nfacctd
  6805 postgres  16   0 2210m 870m 867m S  0.0  7.4   0:14.03 postmaster
  6819 root  15   0  160m 103m  916 S  0.0  0.9   0:02.64 nfacctd
  6820 postgres  15   0 2210m 816m 813m S  0.0  7.0   0:13.14 postmaster
  6829 root  15   0  160m 103m  916 S  0.0  0.9   0:01.17 nfacctd
  6830 postgres  15   0 2210m 625m 622m S  0.0  5.3   0:09.63 postmaster
  6861 root  15   0  160m 103m  916 S  0.0  0.9   0:01.28 nfacctd
  6862 postgres  15   0 2210m 558m 556m S  0.0  4.8   0:08.16 postmaster
  6889 root  15   0  160m 103m  916 S  0.0  0.9   0:00.33 nfacctd
  6890 postgres  16   0 2210m 269m 267m D  0.0  2.3   0:03.16 postmaster
 
 [ ... ]


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] MySQL index performance

[Paolo Lucente]

Hi Chris,

 I think it would make no semantic difference, but would increase MySQL 
 performance with these table types, if the primary key listed 
 stamp_inserted first instead of last.

The change you propose, as you say, would not be impacting - but would
you have any testing handy which confirms the hint? Another option to get
a monotonically increasing key is to set a synthetic index, ie. a spare
field defined as AUTO_INCREMENT, which needs to be complemented by some
indexes of choice in order to be effective. I've recently spared some
time to write this page on the wiki:

http://wiki.pmacct.net/CustomizingTheSqlIndexes

Comments? Perhaps an idea is to contribute the Implementation Notes
section of the wiki with other takes on those topics (or new topics)?

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Expiring Orphan fragment

[Paolo Lucente]

Hi,

To wrap-up this thread - unless new details emerge:
 
On Tue, May 04, 2010 at 11:53:59AM +, Paolo Lucente wrote:
 
 * one capturing some torrent traffic, so that i can replay it in a
   testbed and see if i can reproduce and validate the behaviour.

Orphan fragments are really there. Action point on my side is to mark
these log messages as debug rather than informational. 

 * the other capturing some NetFlow packets delivered to nfacctd so
   that i can look into them with a packet analyzer. It should never
   happen that nfacctd is unable to parse NetFlow datagrams produced
   by nfprobe.

The box was suffering sustained load due to the pmacctd process acting
as NetFlow probe lacking of internal buffering. This in turn generated
some packet loss. Adding the following lines to the configuration did
help bringing back the load of the box to acceptable levels:

plugin_buffer_size: 102400
plugin_pipe_size: 1024

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Expiring Orphan fragment

[Paolo Lucente]

Hi Sergio,

Good point. 

I've just marked PGRES_TUPLES_OK as valid return code within the
PG_create_dyn_table() function - and committed the change to the
CVS. Can you please confirm it works OK for you?

Cheers,
Paolo 

On Mon, May 03, 2010 at 10:10:18AM -0300, Sergio Charpinel Jr. wrote:
 Paolo,
 
 I think the problem is in the SELECT.
 SELECT returns PGRES_TUPLES_OK, which means, a PGRES_COMMAND_OK plus
 result data.
 
 [ ... ]


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Expiring Orphan fragment

[Paolo Lucente]

Hi Sergio,

On Thu, Apr 29, 2010 at 11:23:35AM -0300, Sergio Charpinel Jr. wrote:

 Does anyone know what this mean? I getting a lot of them in pmacctd.log
 Expiring orphan fragment: ip_src=210.197.202.84 ip_dst=200.137.66.1 proto=17
 id=8885

It means some IP fragments have been staying too long into the pmacctd
fragment handler waiting for the missing pieces to come. If not in huge
amounts, this can be sympthom of white noise on the public internet
(scans, attacks, etc.).

 Regarding the topic, when using dynamic tables with postgreSQL, How can I
 verify if a table already exists before trying to create them, to avoid a
 lot of 'Table already exists' messages in nfacctd.log with dynamic table?

I'm not sure there is something already cooked to circumvent that. It
should be possible though with a few lines of PL/PGSQL, ie.:

IF EXISTS (SELECT relname FROM pg_class WHERE relname='table') 
THEN 
...
ELSE 
...
ENDIF

The simplest way should be to get the table name as parameter and embed
the actual SQL table schema within the function declaration.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Low performance query

[Paolo Lucente]

Hi Sergio,

The sql_history drives temporal aggregation by splitting traffic data
into time-bins. You configured 5 minutes time-bins. See the behaviour
of the 'stamp_inserted' field, ie. do SELECT DISTINCT(stamp_inserted)
FROM table ORDER BY stamp_inserted, to get this more clear. The
roundoff thing does some nice time alignment. 

So, increasing the size of the time-bins will be certainly beneficial
but that's not the entire win: important thing is understanding what
you are trying to achieve by putting data into PostgreSQL and choose
a suitable spatial aggregation method (the aggregate directive) for
your task. Suitable here means: build a data-set fitting your project
requirements with the (nearly) least possible amount of records.

Then indexing. It gets useful speeding up SQL queries with conditions,
ie. WHERE ip_src = 'x.x.x.x'. If that's the kind of query you run the
most, try inserting in the SQL table schema a INDEX (ip_src), after
the PRIMARY KEY line. Perhaps you might want to do the same with the
ip_dst field.

Cheers,
Paolo


On Tue, Apr 27, 2010 at 10:37:28PM -0300, Sergio Charpinel Jr. wrote:

 I'm getting low perfomance while selecting from psql and from FloX.
 For example, selecting * WHERE ip_src = 'x.x.x.x'
 
 How can I do a more compact aggregation? You mean by getting samples ?
 Actually, I did not understand very well sql_history and roundoff concepts,
 but increasing history would do the trick?
 
 Thanks for answering.
 
 Cheers.
 
 2010/4/27 Paolo Lucente pa...@pmacct.net
 
  Hi Sergio,
 
  I don't know FloX very well - hence would be good information to know
  which specific SQL queries are performing bad. Maybe there is room to
  improve indexing.
 
  Is it also your goal to store every micro-flow into the SQL database?
  Any chance a more compact aggregation method would fit the bill?
 
  Cheers,
  Paolo
 
 
  On Tue, Apr 27, 2010 at 11:36:50AM -0300, Sergio Charpinel Jr. wrote:
   Hi,
  
   I'm using pmacct 0.12.1 with PostgreSQL 8.4 and FloX. i'm running pmacctd
   and nfacctd daemons (probe and collector).
  
   After 1 day running, I'm getting 1+min to make a query.
   Is there any config in pmacct and PostgreSQL that I can do improve this?
  
   Here is my config in pmacct:
  
   pmacctd.conf:
   daemonize: true
   aggregate: src_host, src_port, dst_host, dst_port, proto, tcpflags
   plugins: nfprobe
   nfprobe_receiver: x.x.x.x
   nfprobe_version: 9
   interface: eth1
  
   nfacctd.conf:
   daemonize: true
   pidfile: /var/run/nfacctd.pid
   aggregate: src_host,dst_host, src_port, dst_port, proto, tcpflags
   plugins: pgsql
   sql_table_version: 7
   sql_db: x
   sql_host: x.x.x.x
   sql_passwd: xxx
   sql_user: x
   sql_refresh_time: 300
   sql_history: 5m
   sql_history_roundoff: m
   sql_dont_try_update: true
   nfacctd_port: 
   nfacctd_ip: 
  
   In PostgreSQL, I did not change the default config in CentOS 5.4.
  
   Thanks in advance!
  
   --
   Sergio Roberto Charpinel Jr.
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists
 
 
 
 
 -- 
 Sergio Roberto Charpinel Jr.

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] sflow in_iface out_iface information wrong

[Paolo Lucente]

Hi Bernd,

If i get it correctly, you should be referring to the big 1073741823
and 2147483648 values in your SQL table. According to the sFlow (v5)
specifications, these values are perfectly valid:

1073741823 = 0x3FFF: [ ... ] this is used in describing traffic
which is not bridged, routed, or otherwise sent through the device being
monitored by the agent, but which rather originates or terminates in the
device itself. In the input field, this value is used to indicate packets
for which the origin was the device itself (e.g. a RIP request packet
sent by the device, if it is acting as an IP router).  In the output
field, this value is used to indicate packets for which the destination
was the device itself (e.g. a RIP response packet (whether unicast or
not) received by the device, if it is acting as an IP router).

2147483648 = 0x8000: indicates a packet sent to an unknown number
of interfaces greater than 1. - broadcast or multicast come to mind.

There are some further codes/information passed through the interface
fields; i'd like to point you to [1] for a more complete reference -
even though it says new codes might be issued over the time.

Of course, with tagging you drive what you expect to see; while dumping
information straight from sFlow into a primitive catches such additional
things you either don't know about or won't expect to see.

Cheers,
Paolo

[1] http://www.sflow.org/SFLOW-DATAGRAM5.txt


On Tue, Apr 27, 2010 at 12:46:44PM +0200, Bernd Boom wrote:
 Hi everybody,
  
 is use the sflow collector and want to collect sflow data depending 
 on the inteface information which should be possible since version 0.12.1.
  
 The importat columns are in_iface and out_iface as you can see in the
  aggregate part.
  
 -
  aggregate: tag,tag2,in_iface, 
 out_iface,flows,tcpflags,vlan,tag,src_host,dst_hos
 t,src_port,dst_port,proto,src_mac,dst_mac,tos
 -
  
 The problem is that i receive the following (sometimes wrong) interface 
 information, as you can seen from the database output.
  
 [ ... ]
 
 The correct interfaces are for example agent_id=323 and 24.
  
  I compile with --64bit and without this option,  but with the same result.
  
 Are there any ideas why the interface information is sometimes wrong
  
 Although it is to my infomation not possible that there are in and 
 out interface information in the same flow informatione (mostly the switches 
 only support only (in-flowaccounting) as this switches!
  
 The version 0.12.0 works correct with these foundry switches with 
 pretagging the interface information!
  
 many thanks
  
 Bernd Boom


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Low performance query

[Paolo Lucente]

Hi Sergio,

I don't know FloX very well - hence would be good information to know
which specific SQL queries are performing bad. Maybe there is room to
improve indexing. 

Is it also your goal to store every micro-flow into the SQL database?
Any chance a more compact aggregation method would fit the bill?

Cheers,
Paolo


On Tue, Apr 27, 2010 at 11:36:50AM -0300, Sergio Charpinel Jr. wrote:
 Hi,
 
 I'm using pmacct 0.12.1 with PostgreSQL 8.4 and FloX. i'm running pmacctd
 and nfacctd daemons (probe and collector).
 
 After 1 day running, I'm getting 1+min to make a query.
 Is there any config in pmacct and PostgreSQL that I can do improve this?
 
 Here is my config in pmacct:
 
 pmacctd.conf:
 daemonize: true
 aggregate: src_host, src_port, dst_host, dst_port, proto, tcpflags
 plugins: nfprobe
 nfprobe_receiver: x.x.x.x
 nfprobe_version: 9
 interface: eth1
 
 nfacctd.conf:
 daemonize: true
 pidfile: /var/run/nfacctd.pid
 aggregate: src_host,dst_host, src_port, dst_port, proto, tcpflags
 plugins: pgsql
 sql_table_version: 7
 sql_db: x
 sql_host: x.x.x.x
 sql_passwd: xxx
 sql_user: x
 sql_refresh_time: 300
 sql_history: 5m
 sql_history_roundoff: m
 sql_dont_try_update: true
 nfacctd_port: 
 nfacctd_ip: 
 
 In PostgreSQL, I did not change the default config in CentOS 5.4.
 
 Thanks in advance!
 
 -- 
 Sergio Roberto Charpinel Jr.

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Duplicate entry problem.

[Paolo Lucente]

Hi Sergey,

Duplicates are a clear consequence of the urgent DB writer in
conjunction with disabling UPDATE queries (sql_dont_try_update)
and the configured (default, i guess) primary key. Urgent writers
are elicited by shortage of entries available in the SQL cache. 

Having memory available, my advice is to increase the value of
sql_cache_entries until it matches your traffic footprint (you
don't see duplicates anymore). I'd start with simply selecting
a prime number (see CONFIG-KEYS, INTERNAL documents) in the area
of 256000 and otherwise go one order up. If additional memory
is not an option i would advice to change the primary key to a
simple auto-increment index. 

You should also bring back the sql_refresh_time to 60, hence
matching the sql_history configured value. 

Cheers,
Paolo


On Fri, Apr 16, 2010 at 02:32:06PM +0400, Sergey Veltistov wrote:
 Hi
 
 I get many errors in my log:
 
 DEBUG ( default/mysql ): FAILED query follows:
 INSERT INTO `acct_bgp` (stamp_updated, stamp_inserted, as_src, as_dst, 
 local_pref, peer_as_dst, packets, bytes) VALUES (FROM_UNIXTIME(1271412061), 
 FROM_UNIXTIME(1271411700), 0, 29791, 120, 28809, 1766, 379285)
 ERROR ( default/mysql ): Duplicate entry 
 '0-0-29791-0-28809-120-0-2010-04-16 13:55:00' for key 1
 
 Nfacctd process during the occurrence of these errors.
 54055  p5  S+ 0:27.57 nfacctd: Core Process [default] (nfacctd)
 54056  p5  S+ 0:19.70 nfacctd: MySQL Plugin [default] (nfacctd)
 54083  p5  S+ 0:04.32 nfacctd: SQL Plugin -- DB Writer (urgent) [default] 
 (nfacctd)
 
 Pmacct receives netflow v5 info from cisco router with traffic through
 interfaces approximately 4.5Gbit/s (sum in/out).
 
 Mysql scripts pmacct-create-db_bgp_v1.mysql.
 
 Start cmd for testing: ./nfacctd -f mysql.conf
 
 My config:
 
 --
 daemonize: false
 promisc: false
 !
 !debug: true
 !
 plugins: mysql
 plugin_pipe_size: 4096
 plugin_buffer_size: 40960
 !
 nfacctd_ip: x.x.x.x
 nfacctd_port: 9985
 nfacctd_time_new: true
 aggregate: src_as, dst_as, local_pref, peer_dst_as
 !
 pmacctd_as: bgp
 bgp_daemon: false
 bgp_daemon_ip: x.x.x.x
 bgp_daemon_port: 179
 bgp_daemon_max_peers: 1
 bgp_agent_map: /usr/local/pmacct/sbin/agent_to_peer.map
 bgp_peer_src_as_type: map
 bgp_peer_src_as_map: /usr/local/pmacct/sbin/peers.map
 !
 sql_db: pmacct
 sql_table_version: 1
 sql_table_type: bgp
 sql_passwd: xx
 sql_user: pmacct
 sql_optimize_clauses: true
 sql_dont_try_update: true
 sql_cache_entries: 256000
 sql_multi_values: false
 !
 sql_history_roundoff: mhd
 sql_history: 1m
 sql_refresh_time: 30
 sql_table: acct_bgp
 -
 
 Any hints?
 
 
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct 0.12.1 released !

[Paolo Lucente]

VERSION.
0.12.1


DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL) databases and export them through NetFlow or sFlow
protocols to remote collectors. pmacct supports fully customizable
historical data breakdown, sampling, filtering and tagging and
triggers. Libpcap, Netlink/ULOG, sFlow v2/v4/v5 and NetFlow v1/
v5/v7/v8/v9 are supported, both unicast and multicast. Also, a
client program makes it easy to export data to tools like RRDtool,
GNUPlot, Net-SNMP, MRTG, and Cacti.


HOMEPAGE.
http://www.pmacct.net/


DOWNLOAD.
http://www.pmacct.net/pmacct-0.12.1.tar.gz


CHANGELOG.
+ Input/output interfaces (SNMP indexes) have now been implemented
  natively; it's therefore not required anymore to pass through the
  (Pre-)tag infrastructure. As a result two aggregation primitives
  are being introduced: 'in_iface' and 'out_iface'.
+ Support for source/destination IP prefix masks is introduced via
  two new aggregation primitives: src_mask and dst_mask. These are
  populated as defined by the [nf|sf|pm|u]acctd_net directive:
  NetFlow/sFlow protocols, BGP, Network files (networks_file) or
  static (networks_mask) being valid data sources.
+ A generic tunnel inspection infrastructure has been developed to
  benefit both pmacctd and uacctd daemons. Handlers are defined via
  configuration file. Once enabled daemons will account basing upon
  tunnelled headers rather than the envelope. Currently the only
  supported tunnel protocol is GTP, the GPRS tunnelling protocol
  (which can be configured as: tunnel_0: gtp, UDP port). Up to
  8 different tunnel stacks and up to 4 tunnel layers per stack are
  supported. First matching stack, first matching layer wins.
+ uacctd: support for the MAC layer has been added for the Netlink/
  ULOG Linux packet capturing framework.
+ 'nfprobe_source_ip' feature introduced: it allows to select the
  IPv4/IPv6 address to be used to export NetFlow datagrams to the
  collector.
+ nfprobe, sfprobe: network masks are now exported via NetFlow and
  sFlow. 'pmacctd_net' and its equivalent directives define how to
  populate src_mask and dst_mask values.
! cleanup, nfprobe/sfprobe: data source for 'src_as' and 'dst_as'
  primitives is now expected to be always explicitely defined (in
  line with how 'src_net' and 'dst_net' primitives work). See the
  UPGRADE doc for the (limited) backward compatibility impact.
! Updated SQL documentation: sql/README.iface guides on 'in_iface'
  and 'out_iface' primitives; sql/README.mask guides on 'src_mask'
  and 'dst_mask' primitives; sql/README.is_symmetric guides on
  'is_symmetric' primitive.
! fix, nfacctd.h: source and destination network masks were twisted
  in the NetFlow v5 export structure definition. Affected releases
  are: 0.12.0rc4 and 0.12.0.
! fix, nfprobe_plugin.c: l2_to_flowrec() was missing some variable
  declaration when the package was configured for compilation with
  --disable-l2. Thanks to Brent Van Dussen for reporting the issue.
! fix, bgp.c: bgp_attr_munge_as4path() return code was not defined
  for some cases. This was causing some BGP messages to be marked
  as malformed.
! fix, sfprobe: a dummy MAC layer was created whenever this was not
  included as part of the captured packet. This behaviour has been
  changed and header protocol is now set to 11 (IPv4) or 12 (IPv6)
  accordingly. Thanks to Neil McKee for pointing the issue.
! workaround, building sub-system: PF_RING enabled libpcap was not
  recognized due to missing of pcap_dispatch(). This is now fixed.


NOTES.
* data source for 'src_as' and 'dst_as' primitives for nfprobe and
  sfprobe plugins is now expected to be explicitely defined via the
  [ pmacctd_as | uacctd_as ] directive. All other plugins were already
  working like that. In terms of backward compatibility the only case
  affected is getting ASN values out of a Networks File: up to 0.12.0,
  it was sufficient to define a networks_file to implicitely use it.


Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] ifindex and netmask records

[Paolo Lucente]

Hi Richard,

On Fri, Apr 02, 2010 at 03:12:23AM -0500, Richard A Steenbergen wrote:

 * Record (and aggregate on) the address of the router that exported a 
 flow via netflow/sflow. Basically I just want to know which router 
 exported the flow to me, using either the agent address if available (on 
 sflow, etc), or the source address of the netflow packet. 

As Nitzan correctly mentioned, pre-tagging should be used for this. The
idea is you get a tag instead of the IP address of the NetFlow/sFlow
exporter. If doesn't suit, just let me know: I would see it as a good
feature request.

 * Record (and aggregate on) the src/dst ifindexes that are exported via 
 sflow/netflow protocols. Obviously this would be paired with the router 
 id mentioned above to give the ifindex meaning, :)

As of 0.12.1 (which will be out in roughly a week) or the code currently
in the CVS you have the in_iface and out_iface aggregation primitives.

The legacy way (up to 0.12.0) to do it was via pre-tagging as per the
point before. Of course pre-tagging (so map ifindexes to tags) can still
be used when a stricter control (filter out un-needed stuff) is required
as part of the aggregation process. 

 * Record the mask that was used in a src/dst_net aggregator. I figured 
 out how to dynamically aggregate by the netmask value exported via 
 netflow/sflow (via the pmacct changelog, it doesn't seem to be in the 
 documentation anywhere I could find), but it doesn't record the netmask 
 that was used. For example, say I receive an export for a flow to 

 [ ... ]

As of 0.12.1 (which will be out in roughly a week) or the code currently
in the CVS you have the src_mask and dst_mask aggregation primitives :-)
You have also a set of [ nfacctd_net | sfacctd_net | pmacctd_net ] config
directives which have as values [ netflow | sflow | mask | file | bgp ].
It means the network prefix and the netmask can be explicitely grasped out
of: netflow, sflow, bgp, a networks_file: a file where some networks are
listed (can be also a dump of the full BGP table) which makes sense going
libpcap or ULOG really or a static netwosk_mask directive: ie. aggregate
everything to /24: it makes sense once again if going libpcap or ULOG.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] uacctd documentation

[Paolo Lucente]

Hi Ross,

On Thu, Mar 25, 2010 at 09:57:05AM -0400, Ross Vandegrift wrote:

 Thanks for the examples!  I'm having trouble with the iptables piece
 of the puzzle though.  I suspect this is because I'm mirroring traffic
 to this server and the L2 destination doesn't match any address
 present on the server.  I've tried add ebtables dnat to rewrite the
 destination MAC of incoming frames to the local interface address, but
 this doesn't work.

I'm curious: if mirroring traffic to the box, why resorting to uacctd
and iptables/etables? You have pmacctd (libpcap-based) readily available
for such scenario. With uacctd covering the case where traffic is being
cleanly routed through (or to) the Linux box.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] uacctd documentation

[Paolo Lucente]

Hi Ross,

On Fri, Mar 26, 2010 at 02:46:51PM -0400, Ross Vandegrift wrote:

 I'm curious if I can acheive better performance for generating sflow
 data.  My plan was to use the iptables statistics module to do the
 sampling, to ensure that only sampled packets were being sent to
 userspace.  Since my sampling target is around 1:2000, this has the
 potential to cut down on a lot of work sending packets to userspace
 that will be ignored.
 
 Neil at InMon suggested this as a possible tactic for more efficient
 sflow generation than sfacctd when looking at around 3Gb/s and
 500kpps.  pmacctd appears to be keeping up, but around 55-80% CPU.
 Traffic will continue to grow, and I'd like to see if I can't get
 performance better to make the system last longer.

I see. It's just not clear whether you are using pmacctd compiled
against vanilla libpcap. If this is the case, i can advice to give
a try to PF_RING. The kernel module can be configured for sampling
by passing the sample_rate parameter. At a glance, it would just
seem fitting better your scenario.

In case you want to go this way, please use the code from the CVS
as the build sub-system (configure script, etc.) has been patched
to recognize presence of PF_RING. This will indeed make it in the
upcoming release 0.12.1.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] aggregate-filter min packet count and bgp sql table questions

[Paolo Lucente]

Hi Brent,

Good to see progress.

The entries stay forever, there is not an aging-out mechanism. Reason
being you are supposed to do it yourself, at regular intervals, to build
a time reference for the counters. 

For example a simplistic scenario is a cronjob entry, set up every 5
minutes, that launches a pmacct -s -e  counters-time.txt. Such
commandline a) fetches the whole content of the table, b) writes it
to a file and c) cleans the full table up. Should be all you need to
feed such data into 3rd party applications for reporting, graphing,
etc.

Cheers,
Paolo


On Thu, Mar 11, 2010 at 02:00:27PM -0800, Brent Van Dussen wrote:
 Good news, no longer getting the errors and my system hasn't fallen on  
 its face yet.

 Also have 2-3x more entries in the memory tables so that's excellent as 
 well.

 My next question is regarding aging of entries in the memory table, how 
 is this done?  At first I checked one of the tables and there were over 
 100k entries, 3 or 4 seconds later when I checked the table it was down 
 to 50k entries and seems to fluctuate +/- 15k entries.

 I've read the INTERNALS document pertaining to memory tables but it  
 wasn't quite clear in this regard.

 Thanks!
 -Brent

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] aggregate-filter min packet count and bgp sql table questions

[Paolo Lucente]

Hi Brent,

Thanks very much for the feedback. I've just corrected the issue
and will commit it to the CVS shortly later today. 

Cheers,
Paolo


On Thu, Mar 11, 2010 at 09:26:57AM -0800, Brent Van Dussen wrote:
 Paolo -

 Just tried to build the latest CVS version and am getting compile errors 
 when configure option --disable-l2 is used.  When I re-configured 
 without it everything builds fine.

 Here's the error I get:

 -bash-3.2$ make
 Making all in src
 gmake[1]: Entering directory `/home/bvd/pmacct-cvs/pmacct/src'
 Making all in nfprobe_plugin
 gmake[2]: Entering directory `/home/bvd/pmacct-cvs/pmacct/src/ 
 nfprobe_plugin'
 gcc -DPACKAGE=\pmacctd\ -DVERSION=\0.12.1-cvs\ -DPROGNAME=1 - 
 DIM_LITTLE_ENDIAN=1 -DHAVE_PCAP_H=1 -DHAVE_LIBPCAP=1 -DPCAP_7=1 - 
 DPCAP_TYPE_linux=1 -DHAVE_DLOPEN=1 -DSTDC_HEADERS=1 -DHAVE_SYS_WAIT_H=1 
 -DHAVE_GETOPT_H=1 -DHAVE_SYS_SELECT_H=1 -DHAVE_SYS_TIME_H=1 
 -DHAVE_U_INT64_T=1 -DHAVE_U_INT32_T=1 -DHAVE_U_INT16_T=1 
 -DHAVE_U_INT8_T=1 -DENABLE_THREADS=1 -DRETSIGTYPE=void -DHAVE_VSNPRINTF=1 
  -I. -I.. -O2  -DFLOW_SPLAY-DEXPIRY_RB   -c -o 
 nfprobe_plugin.o 
 nfprobe_plugin.c
 nfprobe_plugin.c: In function ???l2_to_flowrec???:
 nfprobe_plugin.c:312: error: ???p??? undeclared (first use in this  
 function)
 nfprobe_plugin.c:312: error: (Each undeclared identifier is reported  
 only once
 nfprobe_plugin.c:312: error: for each function it appears in.)
 gmake[2]: *** [nfprobe_plugin.o] Error 1
 gmake[2]: Leaving directory `/home/bvd/pmacct-cvs/pmacct/src/ 
 nfprobe_plugin'
 gmake[1]: *** [all-recursive] Error 1
 gmake[1]: Leaving directory `/home/bvd/pmacct-cvs/pmacct/src'
 make: *** [all-recursive] Error 1

 Should be able to let you know shortly how the prefix length feature  
 works.

 Thanks,
 -Brent

 On Mar 9, 2010, at 8:28 AM, Brent Van Dussen wrote:

 Thanks for getting this set up Paolo!

 We'll get the latest CVS version loaded and tested this week to  
 provide feedback.

 Cheers,
 -Brent

 On Mar 7, 2010, at 1:34 AM, Paolo Lucente wrote:

 Hi Brent, All,

 On Sat, Feb 20, 2010 at 01:05:20AM +, Paolo Lucente wrote:

 Would it also be possible to have the dst_net appended with mask  
 length
 and a slightly larger DB field to accomodate it?   
 255.255.255.255/25
 would be a CHAR(18) instead of CHAR(15) but it would be really  
 nice to
 have this information from BGP or the sflow prefix field added in 
 so a
 network map isn't needed.

 Netmasks. They are not there but i've recently received two more
 requests in a row for such a feature. All coming from people making
 use of the BGP feature. Hence, this is on my todo list and will
 appear very soon - would say roughly 3-4 weeks. Would such approx
 timeline match your expectations?

 To say at this propo that network masks have now been implemented
 as aggregation primitives. It's all published in the CVS. Network
 masks lie in a different field from the IP prefix - so that this
 implementation can get handy for other, ie. statistical, purposes.
 Indeed, SQL language manipulation can be used to merge masks and
 IP prefixes together on output.

 Also, good property of this way of proceeding is that by keeping
 masks in a separate field, they can be defined as INT(1) which is
 space-savy compared to a string representation within the IP prefix
 field. I already see this argument will not particularly impress
 the PosgreSQL friends but it's done for the sake of selecting a
 generic approach (not all RDBMS packages have the luxury of 'inet'
 types ...).

 Cheers,
 Paolo


 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists


 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] aggregate-filter min packet count and bgp sql table questions

[Paolo Lucente]

Hi Brent,

On Thu, Mar 11, 2010 at 10:01:26AM -0800, Brent Van Dussen wrote:

 I wanted to ask about these messages we're getting in the logs now that 
 we're using mem tables:

 WARN ( prefixes/memory ): Unable to allocate more memory pools, clear  
 stats manually!
 WARN ( as_path/memory ): Unable to allocate more memory pools, clear  
 stats manually!

 What does it mean?  It seems like data is still getting into the mem  
 tables.

It means the aggregates that are already in the table will still get
updated as new traffic comes in. But new aggregates will not make it
into the memory structure. Under default settings, it's a protection
mechanism to limit memory allocation. It can be fine tuned by reading
the INTERNALS document or briefly worked around by configuring:

imt_mem_pools_number: 0

If configuring such setting you still see the message above, it means
the process is unable to allocate more memory from the system (either
software or hardware limit).

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Log output from pmacctd Ive never seen before

[Paolo Lucente]

Hi Jeff,

How often you get this message?

Every time you see it, you miss a packet. The way to read
that line is: libpcap passed only the first 37 bytes of
the datagram to pmacct; L4 appears to start at the 38th
octet; and you might have specified src_port or dst_port
in your aggregation method. 

By default pmacct snaplen for IPv4 packets is 68 bytes,
so imposing something explicit wouldn't help. It appears
the reason for such truncation is external - hence the
question at the beginning of this email.

Cheers,
Paolo


On Sun, Feb 28, 2010 at 11:56:50PM -0800, Jeff Welling wrote:
 Hello again all!
 
 Just recently I started seeing this line in my logs every couple of minutes;
 
 Feb 28 23:34:57 gir pmacctd[12915]: INFO ( default/core ): short IPv4
 packet read (37/38/frags). Snaplen issue ?
 
 Gir being the name of my gateway machine.
 Recent events include installation of an additional internet connection
 (dual-homed), and configuring pmacctd to monitor the new interface with
 basically the same setup as my other interface, and setting the
 interface to not auto-negotiate its speed because that was causing problems.
 
 Does this mean pmacct is missing information? Should the snaplen be
 increased, I dont think Im doing classification and CONFIG-KEYS says the
 defaults should be ok unless your using classification?
 
 Cheers,
 Jeff.
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Pmacct data inconsistencies between tables.

[Paolo Lucente]

Hi Daniel,

I see the 1 minute table contains duplicates - it would be
better to say that _everything_ extracted is repeated twice.
It could be handy to add tags to the aggregation method and
assign a different 'post_tag' to each plugin so to identify
who is generating them. 

I also wonder: how does the primary key of the 1 min table
look like? Is it any different from the 1 hour table? With
the sql_don_try_update turned on and the default indexing,
duplicates are not possible. 

Also at a closer look to the configuration you posted i see
no aggregate_filter are specified (see EXAMPLES): it means 
each plugin collects and tries to write to the same table
both inbound and outbound traffic. So either you can remove
one set of plugins or craft a proper aggregate_filter so
that each does only its bit of the job.

With regards to the missing tuples, from the few checks i've
done, it is always the case that something is in the 1 hour
table but can be missing in the 1 minute one. This can very
well be the result of a shared 'sql_preprocess: minb = 1000'
directive: a flow can accumulate more than 1000 bytes in 1
hour but not in 1 minute - and hence it's accounted in one
table and stripped off in the other.

Given the sql_preprocess you should never expect counters
to match for the same reason as above. To have a comparison
more apples to apples, you should consider removing it and
when confident everything is allright put it back again.

Finally, unrelated to the issue: please for the benefit of
public archives, don't send attachments to the list.

Cheers,
Paolo

 

On Fri, Feb 19, 2010 at 12:11:24PM +, Daniel Levy wrote:
 Hi Paolo,
 
 Here is a report with differences between the two tables.  There are a
 lot of differences between the download figures as well as some
 instances where IP addresses are only found in one table (see
 report.txt). I also have some raw data for the time periods between
 10:00 and 11:00 on 11/02/2010, which are being sent separately via
 yousendit.
 
 Regards
 
 -- 
 Daniel Levy
 
 Aptivate | http://www.aptivate.org/ | +44 (0)1223 760887
 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES
 
 Aptivate is a not-for-profit company registered in England and Wales
 with company number 04980791. 
 
 
 
 Paolo Lucente wrote:
  Hi Daniel,
 
  Getting through the data and compare traffic figures is,
  IHMO, the more practical approach - compared to trying to
  reproduce the issue in a controlled environment. Once you
  discover a descrepancy, it would be great to receive the
  contributing data of each report to see where the issue
  comes from.
 
  It's also true that version 0.9.1 is almost 5 years old; i
  would highly encourage to refresh it. I should be correct
  saying Ubuntu features also version 0.11.4 and 0.11.6 if
  you really don't like the idea of compiling 0.12 yourself
  (which would be my preferred approach).
 
  Let me know.
 
  Cheers,
  Paolo
 
 
 
  On Mon, Feb 15, 2010 at 10:41:21AM +, Daniel Levy wrote:

  Hi Paolo,
 
  Thanks for getting back to me. The version of pmacct being used is
  0.9.1-1ubuntu1. I'm not sure how the problem was discovered, but I have
  asked to person who found the problem to tell me and I will forward you
  the response. As for the reports, I'm not entirely sure what you need. I
  am considering going through the database data for each hour and
  comparing the total figures for uploaded and downloaded packets, per IP
  address between the two tables.  Would this give you the information
  you're looking for?
 
  -- 
  Daniel Levy
 
  Aptivate | http://www.aptivate.org/ | +44 (0)1223 760887
  The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES
 
  Aptivate is a not-for-profit company registered in England and Wales
  with company number 04980791. 
 
 
 
  Paolo Lucente wrote:
  
  Hi Daniel,
 
  Unfortunately the configuration doesn't make evident where the
  issue can be. The 'sql_dont_try_update' very well protects against
  duplicate tuples - so i'm rather inclined to exclude that reason. 
 
  Which version are you using? How you did discover the issue - ie.
  did you upgrade recently from a previous version or is a fresh
  installation? Finally, is it possible to get - privately - two
  reports, one from each table, for the same time period? Say, one
  or better two hours? 
 
  Let me know.
 
  Cheers,
  Paolo
 
 
  On Fri, Feb 12, 2010 at 03:19:38PM +, Daniel Levy wrote:


  Hi,
 
  I'm using pmacct to store data in two tables, one containing data
  recorded on a per minute basis, the other containing data recorded on an
  hourly basis. When I get data for the first table over a period of three
  hours, the download traffic (calculated by adding up the bytes field for
  traffic where the ip_dst value is from a machine on the local network)
  for one IP address on the network is 3,719,772,656 bytes. The download
  traffic from the second table for the same IP address over a period

Re: [pmacct-discussion] aggregate-filter min packet count and bgp sql table questions

[Paolo Lucente]

Hi Brent,

On Fri, Feb 19, 2010 at 10:51:21AM -0800, Brent Van Dussen wrote:

 I was curious if there was a way to have sfacctd only insert into the  
 database if a certain number of packets and/or bytes threshold is  
 reached.

It seems you are looking for the sql_preprocess directive - and minb
and/or minp keys. It allows to put some conditions for row insertion/
update at every refresh interval.

 Would it also be possible to have the dst_net appended with mask length 
 and a slightly larger DB field to accomodate it?  255.255.255.255/25 
 would be a CHAR(18) instead of CHAR(15) but it would be really nice to 
 have this information from BGP or the sflow prefix field added in so a 
 network map isn't needed.

Netmasks. They are not there but i've recently received two more
requests in a row for such a feature. All coming from people making
use of the BGP feature. Hence, this is on my todo list and will
appear very soon - would say roughly 3-4 weeks. Would such approx
timeline match your expectations?

Question to you (and others who might be interested indeed): given
the use you would make out of them; how would you envision netmasks
implementation in the DB structure? What would be handy: a separate
field in the table or the mask appended to the IP prefix string? I
do have myself an idea but don't want to biase answer(s) at this
stage.

 One final thing was that I saw erratic behavior with the as-path feature 
 when creating my own custom sql table from scratch, pasted  
 below...anything look like it shouldn't work?  I would comment out the  
 sql_table_version and sql_table_type and uncomment sql_table to define  
 the new table name to use and everything inserted ok just most of my  
 as-path's were then missing

 create table custom_llnw (
   agent_id INT(4) UNSIGNED NOT NULL,
   as_path CHAR(50) NOT NULL,
 packets INT UNSIGNED NOT NULL,
   bytes BIGINT UNSIGNED NOT NULL,
   stamp_inserted DATETIME NOT NULL,
   stamp_updated DATETIME,
   PRIMARY KEY (agent_id, stamp_inserted)
 );

Configuration and schema look OK (except for a primary key missing the
as_path, but perhaps that is intentional). In the table above, as_path
is the only primitive being grasped from BGP - it looks there might be
an underlying issue correlating sFlow data to BGP. Did you already clear
out other BGP primitives, ie. local_pref, are grasped OK? For some debug
you can enable the 'bgp_daemon_msglog' in order to verify the prefixes
are received OK. To see which router is successfully connecting, you can
locally enable debug. I can advice to give a name to the 'mysql' plugin
and then enable debug on the 'default' (core) process, ie.:

debug[default]: true
plugins: mysql[blabla]

If daemonizing, it would be convenient to add a 'logfile' directive to
get all such output nailed down somewhere persistent.

 Thanks and let me know if there's any other data I can provide.  Great  
 work on getting BGP implemented into the daemon!!!

Thanks!

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] unable to compile latest pmacct with pfring enabled libpcap ...

[Paolo Lucente]

Hi Sebastien,

It's not clear to me if this was working for you before (some
earlier pmacct release) and it doesn't instead with the latest.
I've just tried myself to compile pmacct 0.12.0 against a
libpcap 1.0.0 (vanilla) and it works fine. I'm also fairly
sure this worked up to 0.12.0rc4 for others - Yuriy should
be among them. 

Cheers,
Paolo

On Thu, Feb 18, 2010 at 01:01:14PM +0100, S?bastien Cramatte wrote:
 It doesn't works :( ... same error
 
 ./configure
 --with-pcap-includes=/usr/src/pf_ring/PF_RING/userland/libpcap-1.0.0-ring/pcap
 --with-pcap-libs=/usr/local/lib
 
 
 
 #ls
 
 2010/2/18 Yavetskiy Yuriy yavets...@kpi.ua
 
  Hello.
 
  Try to use  --with-pcap-includes=/path/to/userland/libpcap-1.0.0-ring/pcap
  --with-pcap-libs=/path/to/lib
 
 
  S?bastien Cramatte wrote:
 
  Hello,
 
  I've donwloaded, compiled and installed the latest pf_ring patch.
  Ntop works as expected but unfortunately I'm unable to compile
  pmacct-0.12.0 :
 
  checking whether to disable L2 features... no
  checking whether to enable IPv6 code... no
  checking default locations for pcap.h... found in /usr/local/include
  checking default locations for libpcap... found in /usr/local/lib
  checking for pcap_dispatch in -lpcap... no
  configure: error:
   ERROR: missing pcap library. Refer to: http://www.tcpdump.org/
  ...
 
 
  Any ideas of what occurs ? I suspect that I should add somewhre  LDFLAGS
   with  -lpfring ...
 
  Thank you for your help
  
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists
 
 
 
  --
  WBR
  Yavetskiy Yuriy
  ULTI-RIPE
 
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists
 

 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] unable to compile latest pmacct with pfring enabled libpcap ...

[Paolo Lucente]

Hi Sebastien,

Unfortunately it's not something quick to reproduce as i'm
myself mostly based on Solaris. I will gladly have a look
on your box instead.

Anyway: what the configure script was complaining is the
checking for pcap_dispatch in -lpcap check. Meaning the
libpcap.a doesn't exist or doesn't appear to be valid.
The issue doesn't look connected to PF_RING specifically.

Consider also pmacct doesn't have any native support for
PF_RING (which ntop might have instead), so I don't think
you should ever link with -lpfring - but I can indeed be
mistaken.

Cheers,
Paolo


On Thu, Feb 18, 2010 at 02:12:18PM +0100, S?bastien Cramatte wrote:
 Hi,
 
 It's true  ... was working with an old release with debian eth on x86
 platform.
 Now we have upgraded to debian squeeze on x86_64 platform.
 
 Note that we are using  pf_ring and it works perfectly with ntop ...
 Could you try  to build it using libpcap from pf_ring svn ?
 
 svn co https://svn.ntop.org/svn/ntop/trunk/PF_RING/
 
 
 
 2010/2/18 Paolo Lucente pa...@pmacct.net
 
  Hi Sebastien,
 
  It's not clear to me if this was working for you before (some
  earlier pmacct release) and it doesn't instead with the latest.
  I've just tried myself to compile pmacct 0.12.0 against a
  libpcap 1.0.0 (vanilla) and it works fine. I'm also fairly
  sure this worked up to 0.12.0rc4 for others - Yuriy should
  be among them.
 
  Cheers,
  Paolo
 
  On Thu, Feb 18, 2010 at 01:01:14PM +0100, S?bastien Cramatte wrote:
   It doesn't works :( ... same error
  
   ./configure
  
  --with-pcap-includes=/usr/src/pf_ring/PF_RING/userland/libpcap-1.0.0-ring/pcap
   --with-pcap-libs=/usr/local/lib
  
  
  
   #ls
  
   2010/2/18 Yavetskiy Yuriy yavets...@kpi.ua
  
Hello.
   
Try to use
   --with-pcap-includes=/path/to/userland/libpcap-1.0.0-ring/pcap
--with-pcap-libs=/path/to/lib
   
   
S?bastien Cramatte wrote:
   
Hello,
   
I've donwloaded, compiled and installed the latest pf_ring patch.
Ntop works as expected but unfortunately I'm unable to compile
pmacct-0.12.0 :
   
checking whether to disable L2 features... no
checking whether to enable IPv6 code... no
checking default locations for pcap.h... found in /usr/local/include
checking default locations for libpcap... found in /usr/local/lib
checking for pcap_dispatch in -lpcap... no
configure: error:
 ERROR: missing pcap library. Refer to: http://www.tcpdump.org/
...
   
   
Any ideas of what occurs ? I suspect that I should add somewhre
   LDFLAGS
 with  -lpfring ...
   
Thank you for your help
   
  
   
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
   
   
   
--
WBR
Yavetskiy Yuriy
ULTI-RIPE
   
   
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
   
 
   ___
   pmacct-discussion mailing list
   http://www.pmacct.net/#mailinglists
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists
 

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Pmacct data inconsistencies between tables.

[Paolo Lucente]

Hi Daniel,

Getting through the data and compare traffic figures is,
IHMO, the more practical approach - compared to trying to
reproduce the issue in a controlled environment. Once you
discover a descrepancy, it would be great to receive the
contributing data of each report to see where the issue
comes from.

It's also true that version 0.9.1 is almost 5 years old; i
would highly encourage to refresh it. I should be correct
saying Ubuntu features also version 0.11.4 and 0.11.6 if
you really don't like the idea of compiling 0.12 yourself
(which would be my preferred approach).

Let me know.

Cheers,
Paolo



On Mon, Feb 15, 2010 at 10:41:21AM +, Daniel Levy wrote:
 Hi Paolo,
 
 Thanks for getting back to me. The version of pmacct being used is
 0.9.1-1ubuntu1. I'm not sure how the problem was discovered, but I have
 asked to person who found the problem to tell me and I will forward you
 the response. As for the reports, I'm not entirely sure what you need. I
 am considering going through the database data for each hour and
 comparing the total figures for uploaded and downloaded packets, per IP
 address between the two tables.  Would this give you the information
 you're looking for?
 
 -- 
 Daniel Levy
 
 Aptivate | http://www.aptivate.org/ | +44 (0)1223 760887
 The Humanitarian Centre, Fenner's, Gresham Road, Cambridge CB1 2ES
 
 Aptivate is a not-for-profit company registered in England and Wales
 with company number 04980791. 
 
 
 
 Paolo Lucente wrote:
  Hi Daniel,
 
  Unfortunately the configuration doesn't make evident where the
  issue can be. The 'sql_dont_try_update' very well protects against
  duplicate tuples - so i'm rather inclined to exclude that reason. 
 
  Which version are you using? How you did discover the issue - ie.
  did you upgrade recently from a previous version or is a fresh
  installation? Finally, is it possible to get - privately - two
  reports, one from each table, for the same time period? Say, one
  or better two hours? 
 
  Let me know.
 
  Cheers,
  Paolo
 
 
  On Fri, Feb 12, 2010 at 03:19:38PM +, Daniel Levy wrote:

  Hi,
 
  I'm using pmacct to store data in two tables, one containing data
  recorded on a per minute basis, the other containing data recorded on an
  hourly basis. When I get data for the first table over a period of three
  hours, the download traffic (calculated by adding up the bytes field for
  traffic where the ip_dst value is from a machine on the local network)
  for one IP address on the network is 3,719,772,656 bytes. The download
  traffic from the second table for the same IP address over a period of
  one week, including the three hour period mentioned above, is
  significantly smaller (2,114,286,512 bytes) where I would expect it to
  be much larger and I can't figure out why. A slightly modified version
  of the contents of my pmacctd.conf file is given below. Can anyone help?
 
  daemonize: true
  pidfile: /var/run/pmacctd.pid
  syslog: daemon
 
  plugins: mysql[inbound1], mysql[outbound1], mysql[inbound2],
  mysql[outbound2]
 
  aggregate[inbound1]: src_host, src_port, dst_host, dst_port, proto
  aggregate[outbound1]: src_host, src_port, dst_host, dst_port, proto
  aggregate[inbound2]: src_host, src_port, dst_host, dst_port, proto
  aggregate[outbound2]: src_host, src_port, dst_host, dst_port, proto
 
  pcap_filter: not (src and dst net 0.0.0.0/24)
 
 
  sql_db: pmacct
  sql_table[inbound1]: short_data_table
  sql_table[outbound1]: short_data_table
 
  sql_table[inbound2]: long_data_table
  sql_table[outbound2]: long_data_table
 
  sql_history[inbound1]: 1m
  sql_history[outbound1]: 1m
  sql_history[inbound2]: 1h
  sql_history[outbound2]: 1h
 
  sql_history_roundoff[inbound1]: m
  sql_history_roundoff[outbound1]: m
  sql_history_roundoff[inbound2]: h
  sql_history_roundoff[outbound2]: h
  sql_table_version: 6
  sql_host: localhost
  sql_user: auser
  sql_passwd: apass
 
  sql_refresh_time[inbound1]: 60
  sql_refresh_time[outbound1]: 60
  sql_refresh_time[inbound2]: 3600
  sql_refresh_time[outbound2]: 3600
  sql_dont_try_update: true
  sql_optimize_clauses: true
 
  sql_preprocess: minb = 1000
 
  Regards
 
  -- 
  Daniel Levy
 
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists
  
 
  ___
  pmacct-discussion mailing list
  http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct 0.12.0 released !

[Paolo Lucente]

VERSION.
0.12.0


DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL) databases and export them through NetFlow or sFlow
protocols to remote collectors. pmacct supports fully customizable
historical data breakdown, sampling, filtering and tagging and
triggers. Libpcap, Netlink/ULOG, sFlow v2/v4/v5 and NetFlow v1/
v5/v7/v8/v9 are supported, both unicast and multicast. Also, a
client program makes it easy to export data to tools like RRDtool,
GNUPlot, Net-SNMP, MRTG, and Cacti.


HOMEPAGE.
http://www.pmacct.net/


DOWNLOAD.
http://www.pmacct.net/pmacct-0.12.0.tar.gz


CHANGELOG.
+ 'is_symmetric' aggregation primitive has been implemented: aimed
  at easing detection of asymmetric traffic. It's based on rule
  definitions supplied in a 'bgp_is_symmetric_map' map, reloadable
  at runtime.
+ A new 'bgp_daemon_allow_file' configuration directive allows to
  specify IP addresses that can establish a BGP session with the
  collector's BGP thread. Many thanks to Erik van der Burg for
  contributing the idea.
+ 'nfacctd_ext_sampling_rate' and 'sfacctd_ext_sampling_rate' are
  introduced: they flag the daemon that captured traffic is being
  sampled. Useful to tackle corner cases, ie. the sampling rate
  reported by the NetFlow/sFlow agent is missing or incorrect.
+ The 'bgp_follow_nexthop' feature has been extended so that extra
  IPv4/IPv6 prefixes can be supplied. Up to 32 IP prefixes are now
  supported and a warning message is generated whenever a supplied
  string fails parsing.
+ Pre-Tagging: implemented 'src_local_pref' and 'src_comms' keys.
  These allow tagging based on source IP prefix local_pref (sourced
  from either a map or BGP, ie. 'bgp_src_local_pref_type: map',
  'bgp_src_local_pref_type: bgp') and standard BGP communities.
+ Pre-Tagging: 'src_peer_as' key was extended in order to match on
  BGP-sourced data (bgp_peer_src_as_type: bgp).
+ Pre-Tagging: introduced 'comms' key to tag basing on up to 16
  standard BGP communities attached to the destination IP prefix.
  The lookup is done against the BGP RIB of the exporting router.
  Comparisons can be done in either match-any or match-all fashion;
  xidDocumentation and examples updated.
! fix, util.c: load_allow_file(), empty allow file was granting a
  connection to everybody being confused with a 'no map' condition.
  Now this case is properly recognized and correctly translates in
  a reject all clause.
! fix, sql_common.c: log of NetFlow micro-flows to a SQL database
  (nfacctd_sql_log directive) was not correctly getting committed
  to the backend, when sql_history was disabled.
! fix, mysql|pgsql|sqlite_plugin.c: 'flows' aggregation primitive
  was not suitable to mix-and-match with BGP related primitives
  (ie. peer_dst_as, etc.) due to an incorrect check. Many thanks
  to Zenon Mousmoulas for the bug report.
! fix, pretag_handlers.c: tagging against NetFlow v9 4-bytes in/out
  interfaces was not working properly. Thanks to Zenon Mousmoulas
  for reporting the issue.


NOTES.


Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Pmacct data inconsistencies between tables.

[Paolo Lucente]

Hi Daniel,

Unfortunately the configuration doesn't make evident where the
issue can be. The 'sql_dont_try_update' very well protects against
duplicate tuples - so i'm rather inclined to exclude that reason. 

Which version are you using? How you did discover the issue - ie.
did you upgrade recently from a previous version or is a fresh
installation? Finally, is it possible to get - privately - two
reports, one from each table, for the same time period? Say, one
or better two hours? 

Let me know.

Cheers,
Paolo


On Fri, Feb 12, 2010 at 03:19:38PM +, Daniel Levy wrote:
 Hi,
 
 I'm using pmacct to store data in two tables, one containing data
 recorded on a per minute basis, the other containing data recorded on an
 hourly basis. When I get data for the first table over a period of three
 hours, the download traffic (calculated by adding up the bytes field for
 traffic where the ip_dst value is from a machine on the local network)
 for one IP address on the network is 3,719,772,656 bytes. The download
 traffic from the second table for the same IP address over a period of
 one week, including the three hour period mentioned above, is
 significantly smaller (2,114,286,512 bytes) where I would expect it to
 be much larger and I can't figure out why. A slightly modified version
 of the contents of my pmacctd.conf file is given below. Can anyone help?
 
 daemonize: true
 pidfile: /var/run/pmacctd.pid
 syslog: daemon
 
 plugins: mysql[inbound1], mysql[outbound1], mysql[inbound2],
 mysql[outbound2]
 
 aggregate[inbound1]: src_host, src_port, dst_host, dst_port, proto
 aggregate[outbound1]: src_host, src_port, dst_host, dst_port, proto
 aggregate[inbound2]: src_host, src_port, dst_host, dst_port, proto
 aggregate[outbound2]: src_host, src_port, dst_host, dst_port, proto
 
 pcap_filter: not (src and dst net 0.0.0.0/24)
 
 
 sql_db: pmacct
 sql_table[inbound1]: short_data_table
 sql_table[outbound1]: short_data_table
 
 sql_table[inbound2]: long_data_table
 sql_table[outbound2]: long_data_table
 
 sql_history[inbound1]: 1m
 sql_history[outbound1]: 1m
 sql_history[inbound2]: 1h
 sql_history[outbound2]: 1h
 
 sql_history_roundoff[inbound1]: m
 sql_history_roundoff[outbound1]: m
 sql_history_roundoff[inbound2]: h
 sql_history_roundoff[outbound2]: h
 sql_table_version: 6
 sql_host: localhost
 sql_user: auser
 sql_passwd: apass
 
 sql_refresh_time[inbound1]: 60
 sql_refresh_time[outbound1]: 60
 sql_refresh_time[inbound2]: 3600
 sql_refresh_time[outbound2]: 3600
 sql_dont_try_update: true
 sql_optimize_clauses: true
 
 sql_preprocess: minb = 1000
 
 Regards
 
 -- 
 Daniel Levy
 
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pre_tag_map issue + questions

[Paolo Lucente]

Hi Zenon,

On Mon, Feb 08, 2010 at 02:43:49PM +0200, Zenon Mousmoulas wrote:

 records. If it's in there, then i'd like to give it a look myself: i
 would ask you to produce a trace and send it to me privately so that
 i can have a look. We can then summarize findings here.

 OK. I will send you the capture privately.

It turned to be another bug related to 4-bytes ifIndex values exported
via NetFlow v9. Fix is already committed to the CVS. Thanks for your
cooperation on this.

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pmacct count only 5% of SYN packets.

[Paolo Lucente]

Hi Yuriy,

You have also other means to get a count of the TCP/SYN packets out
of pmacct. I would suggest one for troubleshooing purposes with the
goal to check where the issue lies:

* keep the 'tcpflags' primitive out of the 'aggregate' directive
* add a 'pcap_filter' directive to the config; it supports filters
  in tcpdump syntax and you can feed it with the same filter you
  use in tcpdump to count TCP/SYN packets. 

I would like to know if counting TCP/SYN packets this way makes
pmacct matching the numbers you get out of tcpdump.

Btw, if you like this strategy, instead of resorting to tcpflags, 
it can be refined so to make it co-existing with other things you
might want to do with the tool (ie. by using tagging or replacing
the 'pcap_filter' with an 'aggregate_filter').

Cheers,
Paolo


On Tue, Feb 09, 2010 at 12:39:52PM +0200, Yavetskiy Yuriy wrote:
 Hello.

 I'm running Debian with vanila 2.6.32 kernel.
 I've compiled pmacct 0.11.6 with pf_ring (transparent mode 1).
 Packets pass through brigde of 2 interfaces, one interface in promisc  
 mode (both interfaces are intel 82576, NAPI, LRO, RSS).
 Load on this brigde is 800mbps and 100 kpps (90% idle on each of 8 cores).
 I'm using pmacct to count traffic through brigde.
 I've noticed, that snmp data and pmacct's data are the same (99% similar  
 in MB).
 But if I use tcpflags in aggregation (src_host, dst_host, dst_port,  
 proto, tcpflags), I see (compare pmacct's data on bridge with tcpdump on  
 packet's destination host) that only 5% of packets with flag 2 (SYN) are  
 counted.
 What could be the problem?


 -- 
 WBR
 Yavetskiy Yuriy
 ULTI-RIPE


 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Missing information in mysql table

[Paolo Lucente]

Hi Jonas,

On Tue, Feb 09, 2010 at 04:55:52PM +0100, Jonas Nylund wrote:
 
 [ ... ]
 
 mysql select * from acct_v5_06 limit 10;
 +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+
 | agent_id | class_id | mac_src | mac_dst | vlan | ip_src  | ip_dst
 | src_port | dst_port | ip_proto | tos | packets | bytes | flows |
 stamp_inserted  | stamp_updated   |
 +--+--+-+-+--+-+-+--+--+--+-+-+---+---+-+-+
 |0 | unknown  | 0:0:0:0:0:0 | 0:0:0:0:0:0 |  200 | 0.0.0.0 | 0.0.0.0
 |0 |0 | ip   | 104 |  67 | 36641 | 0 |

 [ ... ]
 
 I probably have missed something in my config. But i cant find what. I also
 need help undestanding the TOS values? What is tos 67?  in VLAN 200 i only
 should see DSCP AF31, and DSCP 47.

I see 67 appearing in the 'packets' field. TOS appears to be 104,
which should match your expectations of seeing DSCP AF31 populating
such field.

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] The accounting of flows requires SQL table v4?

[Paolo Lucente]

Hi Zenon,

Good to see you around again. Please add to your config:

sql_table_version[sqltest]: 4

Reason being most of the primitives are still connected to the 
SQL table versioning concept (in essence: pmacct expects you to
make explicit which SQL schema you are running). This is in the
process of being dismantled, which is already the case with the
plethora of BGP-related primitives (i know you come from there
and hence it sounds new ...).

Cheers,
Paolo


On Mon, Feb 08, 2010 at 10:34:50AM +0200, Zenon Mousmoulas wrote:
 Hi,

 plugins: mysql[sqltest]
 sql_optimize_clauses[sqltest]: true
 sql_table[sqltest]: acct
 ...
 aggregate: src_as, [...] flows, tag

 I also tried

 aggregate[sqltest]: src_as, [...] flows, tag

 It is also in my schema:

 create table acct (
 id INT(4) UNSIGNED NOT NULL AUTO_INCREMENT,
 agent_id INT(4) UNSIGNED NOT NULL,
 as_src INT(4) UNSIGNED NOT NULL,
   [...]
 flows INT UNSIGNED NOT NULL,
 packets INT UNSIGNED NOT NULL,
 bytes BIGINT UNSIGNED NOT NULL,
 stamp_inserted DATETIME NOT NULL,
 stamp_updated DATETIME,
 PRIMARY KEY (id),
 INDEX idxall (agent_id, as_src, as_dst, stamp_inserted)
 ) TYPE=MyISAM AUTO_INCREMENT=1;

 No matter what, I always get this:

 ERROR ( sqltest/mysql ): The accounting of flows requires SQL table v4. 
 Exiting.

 Using latest cvs code (2010-01-29).

 Any ideas?

 Thanks,
 Z.



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pre_tag_map issue + questions

[Paolo Lucente]

Hi Zenon,

On Mon, Feb 08, 2010 at 10:37:54AM +0200, Zenon Mousmoulas wrote:

 I have a netflow v9 feed to nfacctd from a juniper router (JUNOS  
 9.6R2.11), using a service pic. According to a packet capture, records  
 include ingress and egress interface and they seem to be properly  
 defined in the corresponding template. I've tried to use the snmp  
 ifindex numbers in pre_tag_map keys, but they never match. Matching in  
 pre_tag_map with other keys seems to work fine. Any ideas how to debug?

You can start by checking (ie. with Wireshark) whether the input/output
interface fields are part of the NetFlow v9 template other than the
records. If it's in there, then i'd like to give it a look myself: i
would ask you to produce a trace and send it to me privately so that
i can have a look. We can then summarize findings here.

 I also noticed that proto and ToS are not available as pre_tag_map keys. 
 Any particular reason for that? DSCP matching would be handy in my case.

For this task you can use a 'filter' keyword within the pre_tag_map,
which accepts a filter in libpcap syntax. Give it a try and let me
know.

 On a somewhat different note: the particular juniper can also export  
 ipv6 flows, using a different template. I've noticed it includes an  
 IP_PROTOCOL_VERSION (60) field in this template.
 If we send the ipv6 feed to the same instance of nfacctd which receives 
 the ipv4 feed, how can we tell apart ipv6 from ipv4 traffic if we're 
 doing AS aggregation? It would be handy to have an ip_proto aggregation 
 primitive, or at least to be able to match by 'IPVersion' in a 
 pre_tag_map.

Sure. Once again you have to resort to a filter in libpcap format,
this time the 'aggregate_filter'. You can configure it as follows:

aggregate_filter[ip_traffic]: ip
aggregate_filter[ip6_traffic]: ip6

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] The accounting of flows requires SQL table v4?

[Paolo Lucente]

HI Zenon,

It turned to be a bug. It's now fixed and change is already
committed to the CVS. Please give it a try and let me know.

Cheers,
Paolo

On Mon, Feb 08, 2010 at 02:22:41PM +0200, Zenon Mousmoulas wrote:
 Hi Paolo,

 it's nice to be back :)

 I had already tried adding this directive (and tried it one more time  
 just before writing this). Unfortunately it made no difference...

 Z.

 On 08 ?? 2010, at 11:51 , Paolo Lucente wrote:

 Hi Zenon,

 Good to see you around again. Please add to your config:

 sql_table_version[sqltest]: 4

 Reason being most of the primitives are still connected to the
 SQL table versioning concept (in essence: pmacct expects you to
 make explicit which SQL schema you are running). This is in the
 process of being dismantled, which is already the case with the
 plethora of BGP-related primitives (i know you come from there
 and hence it sounds new ...).

 Cheers,
 Paolo


 On Mon, Feb 08, 2010 at 10:34:50AM +0200, Zenon Mousmoulas wrote:
 Hi,

 plugins: mysql[sqltest]
 sql_optimize_clauses[sqltest]: true
 sql_table[sqltest]: acct
 ...
 aggregate: src_as, [...] flows, tag

 I also tried

 aggregate[sqltest]: src_as, [...] flows, tag

 It is also in my schema:

 create table acct (
id INT(4) UNSIGNED NOT NULL AUTO_INCREMENT,
agent_id INT(4) UNSIGNED NOT NULL,
as_src INT(4) UNSIGNED NOT NULL,
 [...]
flows INT UNSIGNED NOT NULL,
packets INT UNSIGNED NOT NULL,
bytes BIGINT UNSIGNED NOT NULL,
stamp_inserted DATETIME NOT NULL,
stamp_updated DATETIME,
PRIMARY KEY (id),
INDEX idxall (agent_id, as_src, as_dst, stamp_inserted)
 ) TYPE=MyISAM AUTO_INCREMENT=1;

 No matter what, I always get this:

 ERROR ( sqltest/mysql ): The accounting of flows requires SQL table  
 v4.
 Exiting.

 Using latest cvs code (2010-01-29).

 Any ideas?

 Thanks,
 Z.



 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Not working pmacct -N [matching data['; ' ... ]]

[Paolo Lucente]

Hi Slava,

Can you confirm which version you are running into this issue? Can
you also post your config - just in case? Labbing this scenario up,
i see it working fine for me. 

One thing i can suggest is: append a -l to your query to ensure a
locked access to the memory table; if it's a concurrency issue, you
should see it working after that.

Let me know.

Cheers,
Paolo

On Wed, Feb 03, 2010 at 03:09:00AM +0200, sl...@tangramltd.com wrote:
 Hi.
 
 [r...@stat-ca ~]# pmacct -c src_net -N 91.72.146.32
 36575
 [r...@stat-ca ~]# pmacct -c src_net -N 91.72.146.30
 208
 [r...@stat-ca ~]# pmacct -c src_net -N 91.72.146.32;91.72.146.30
 36575
 0
 
 Why last command show 0 for 91.72.146.30 ?
 
 And
 [r...@stat-ca ~]# pmacct -c src_net -N 91.72.146.32;91.72.146.30 -S
 36575
 
 instead 36575+208
 
 Seems it's bug.
 
 WBR,
 Slava


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Enterasys nfacctd expecting flow error

[Paolo Lucente]

Hi Marc,

I would ask you if you can send me privately a packet capture
(in tcpdump format, full payload) so that i can have a look into
it and possibly replay in lab. 

This should very well give an insight on the sequence jumps; and
might also give an hint why not all the traffic is accounted for
ie. if there is a cause-effect relationship between the twos.

Let me know if this is acceptable to you.

Cheers,
Paolo


On Thu, Jan 14, 2010 at 02:54:55PM -0800, marc slice wrote:
 They appear frequently. Every 10-15 secs. We have between 25-80Mbps running 
 across the interfaces recording netflow data on the enterasys through out the 
 day. Not all the traffic is getting recorded when compared to port 
 statistics. No real pattern that we have found. We have 1Gbps connections 
 from the enterasys to the collector and the collector is a HP 2 CPU opteron 
 box with 8GB of memory. CPU is seeing very little use at all times.
 
 
 
 - Original Message 
 From: Paolo Lucente pa...@pmacct.net
 To: pmacct-discussion@pmacct.net
 Sent: Wed, January 13, 2010 3:33:36 PM
 Subject: Re: [pmacct-discussion] Enterasys nfacctd expecting flow error
 
 Hi Marc,
 
 Such messages tell it has been detected some issues with
 NetFlow datagram sequence numbers. This can be caused by
 packet loss between an agent and the collector, mistakes
 in the sequencing encoding among the others. Besides the
 warning messages, which can be turned off, NetFlow datagrams 
 reaching pmacct are processed as usual.
 
 Do you see such messages appearing regularly or occasionally?
 Can you spot a pattern (ie. only a subset of the devices
 are affected, jumps repeat the same way, etc.)?
 
 Cheers,
 Paolo
 
 On Wed, Jan 13, 2010 at 11:52:07AM -0800, marc slice wrote:
  I have setup netflow from an Enterasys N series switch and receive the 
  following when running nfacctd.
  
  WARN: expecting flow '2727940030' but received '2727940026' 
  collector=0.0.0.0:2055 agent=172.16.32.2:513
  WARN: expecting flow '11226450' but received '11226438' 
  collector=0.0.0.0:2055 agent=172.16.32.2:769
  WARN: expecting flow '2727940052' but received '2727940056' 
  collector=0.0.0.0:2055 agent=172.16.32.2:513
  WARN: expecting flow '11226456' but received '11226468' 
  collector=0.0.0.0:2055 agent=172.16.32.2:769
  WARN: expecting flow '2727952866' but received '2727952852' 
  collector=0.0.0.0:2055 agent=172.16.32.2:513
  WARN: expecting flow '11226618' but received '11226617' 
  collector=0.0.0.0:2055 agent=172.16.32.2:769
  WARN: expecting flow '2727952868' but received '2727952882' 
  collector=0.0.0.0:2055 agent=172.16.32.2:513
  
  Couldn't find much info on this problem and was wondering if someone could 
  help?
  
  [ ... ] 
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists
 
 
 
   
 
 ___
 pmacct-discussion mailing list
 http://www.pmacct.net/#mailinglists

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pmacct can't create mysql table, but I can with the same schema

[Paolo Lucente]

Hi Jeff,

If i'm getting this correctly, you see everything working except for
the table creation error you get back. 

If this is the case, i wouldn't say you are doing something wrong;
pmacct tries to create the table every time the SQL cache scanner kicks
in (sql_refresh_time interval); table name is a string, just it gets
compiled in at runtime with dynamic tables. So, the failure to create
the table derives from the fact the table name changes monthly in your
case whereas data is inserted every 5 minutes. In summary: this is an
harmless and not impacting issue.

Why in the end this log message is labelled by pmacct as ERROR? pmacct
just reports what the SQL library says - it has no clue of the severity
of the content itself. This should really be an informational one.

Cheers,
Paolo


On Tue, Dec 22, 2009 at 03:44:16AM -0800, Jeff Welling wrote:
 Hi again,
 So it seems I spoke too soon  .  It looks like its accumulating
 information in the database in the right tables, but I don't know that
 the information is correct or why its trying to create the table even
 though it already exists..?
 
 I'm seeing this in my syslogs, one per table but here's the output from
 just one;
 
 Dec 22 03:35:15 Gir pmacctd[10365]: ERROR ( incoming/mysql ): PRIMARY
 'mysql' backend trouble.
 Dec 22 03:35:15 Gir pmacctd[10365]: ERROR ( incoming/mysql ): The SQL
 server says: Table 'pmacct_v7_incoming_200912' already exists
 
 It shows up, I'm guessing, every time it tries to update the sql
 database.  Any idea what I did wrong?
 Anything at all will be appreciated :)
 Thanks,
 Jeff.


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct 0.12.0rc4 released !

[Paolo Lucente]

VERSION.
0.12.0rc4


DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL) databases and export them through NetFlow or sFlow
protocols to remote collectors. pmacct supports fully customizable
historical data breakdown, sampling, filtering and tagging and
triggers. Libpcap, Netlink/ULOG, sFlow v2/v4/v5 and NetFlow v1/
v5/v7/v8/v9 are supported, both unicast and multicast. Also, a
client program makes it easy to export data to tools like RRDtool,
GNUPlot, Net-SNMP, MRTG, and Cacti.


HOMEPAGE.
http://www.pmacct.net/


DOWNLOAD.
http://www.pmacct.net/pmacct-0.12.0rc4.tar.gz


CHANGELOG.
+ BGP-related source primitives are introduced, namely: src_as_path,
  src_std_comm, src_ext_comm, src_local_pref and src_med. These add
  to peer_src_as which was already implemented. All can be resolved
  via reverse BGP lookups; peer_src_as, src_local_pref and src_med
  can also be resolved via lookup maps which support checks like:
  bgp_nexthop (RPF), peer_dst_as (RPF), input interface and source
  MAC address. Many thanks to Zenon Mousmoulas and GRNET for their
  fruitful cooperation.
+ Memory structures to store BGP-related primitives have been
  optimized. Memory is now allocated only for primitives part of
  the selected aggregation profile ('aggregate' config directive).
+ A new 'bgp_follow_nexthop' configuration directive is introduced
  to follow the BGP next-hop up to the edge of the routing domain.
  This is particularly aimed at networks not running MPLS, where
  hop-by-hop routing is in place.
+ Lookup maps for BGP-related source primitives (bgp_src_med_map,
  bgp_peer_src_as_map, bgp_src_local_pref_map): result of check(s)
  can now be the keyword 'bgp', ie. 'id=bgp' which triggers a BGP
  lookup. This is thought to handle exceptions to static mapping.
+ A new 'bgp_peer_as_skip_subas' configuration directive is being
  introduced. When computing peer_src_as and peer_dst_as, returns
  the first ASN which is not part of a BGP confederation; if only
  confederated ASNs are on the AS-Path, the first one is returned
  instead.
+ Pre-Tagging: support has been introduced for NetFlow v9 traffic
  direction (ingress/egress). 
+ Network masks part of NetFlow/sFlow export protocols can now be
  used to compute src_net, dst_net and sum_net primitives. As a
  result a set of directives [nfacctd|sfacctd|pmacctd|uacctd]_net
  allows to globally select the method to resolve such primitives,
  valid values being: netflow, sflow, file (networks_file), mask
  (networks_mask) and bgp (bgp_daemon).
+ uacctd: introduced support for input/output interfaces, fetched
  via NetLink/ULOG API; interfaces are available for Pre-Tagging,
  and inclusion in NetFlow and sFlow exports. The implementation
  is courtesy of Stig Thormodsrud.
+ nfprobe, sfprobe: new [nfprobe|sfprobe]_peer_as option to set
  source/destination ASNs, part of the NetFlow and sFlow exports,
  to the peer-AS rather than origin-AS. This feature depends on a
  working BGP daemon thread setup.
! A few resource leaks were detected and fixed. Patch is courtesy
  of Eric Sesterhenn.
! bgp/bgp.c: thread concurrency was detected upon daemon startup
  under certain conditions. As a solution the BGP thread is being
  granted a time advantage over the traffic collector thread. 
! bgp/bgp.c: fixed a security issue which could have allowed a
  malicious user to disrupt established working BGP sessions by
  exploiting the implemented concept of BGP session replenishment;
  this has been secured by a check against the session holdtime.
  Many thanks to Erik van der Burg for spotting the issue.
! bgp/bgp.c: BGP listener socket now sets SO_REUSEADDR option for
  quicker turn around times while stopping/starting the daemon. 
! net_aggr.c: default route (0.0.0.0/0) was considered invalid;
  this is now fixed.


NOTES.


Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] sflow renormalize not working correctly (sql_preprocess does)

[Paolo Lucente]

Hi Igor,

I'm not aware of any issues with the 'sfacctd_renormalize' feature;
perfect you already did some debug with sflowtool - that would have
been my first suggestion.

I would ask you, if possible, to send me privately a brief capture
of some sFlow datagrams (pcap format, full packets) so that i can
have a look myself and replay them in a lab environment. 

This would also help understanding very quickly if the load of the
system can be a viable explanation or not.

Cheers,
Paolo


On Mon, Dec 21, 2009 at 09:19:34PM +0100, Igor Ybema wrote:
 Hi,
 We are using pmacct (sfacctd) for 2 years now.
 We are using sflow agent on HP procurve 3500 switches with sampling rate of
 1024.
 
 Before we didn't use the renormalize function and no preprocessing. We just
 used kbytes in stead of bytes in our applications which worked fine.
 Since a month we started to use the sflow_renormalize function but since
 then we see the bytes counted for our 'incoming' table multiplied by a
 factor of 1.5 to 2 (not accurate).
 The 'outgoing' table does not show this behaviour.
 
 To figure out where the problem is, I tried a couple of things:
 - using sflowtool to debug the packets - meanSkip = 1024 and counting MB's
 myself (with a little help of bash) gives me the total bytes I have send to
 the test host
 - using another sflow agent (foundry XMR router) on other sflow server with
 renormalize on also gives me the correct values
 - turning of renormalize and using sql_preprocess: usrf=1024 also gives me
 the correct values
 - using the newest 0.12.0rc4 does not help
 
 So,.. using same sflow server and agents, same data etc... only switching
 from renormalize to preprocess works for me right now. What could be the
 problem?
 The sflow server (combined mysql server) is a busy server hitting high cpu
 and io waits. Could this cause issue's?
 
 
 regars, Igor Ybema


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Aggregate traffic count with BGP community match

[Paolo Lucente]

Hi Andrew,

On Fri, Dec 11, 2009 at 01:32:34PM +1300, Andrew Thrift wrote:

 I have a requirement to count clients traffic passing through our border  
 router by classes, e.g. local (iBGP), national (BGP marked with specific  
 community) and international (anything not covered by local/national),  
 after a bit of research I found pmacct/nfacct and from what I can tell  
 it looks like it can do what I want.

That's correct. More sophisticated considerations (ie. whether leveraging
communities is the best choice) can be made only by knowing the overall
picture. 

 Have aggregation periods per client IP of  1 Hour, 1 Day and 1 Month  
 (1st day to last day)

Yes. Temporal aggregation is fully flexible, so you can really choose
whichever time period makes sense to you. Indeed per IP or per subnet
accounting is possible. 

 Use match filters similar to:

 [ ... ]

Match filters: I guess you would like to base your solution on a SQL
backend. BGP communities, IP addresses, etc. are all visible in the  
database: all revolves around crafting the right SQL queries.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Layer 7 classification problem.

[Paolo Lucente]

Hi,

Mike kindly offered access to his box. The classification engine was found
to work just fine - issue being related to some catch-all patterns included
with the L7-filter classifiers package (namely unknown.pat and unset.pat).

By removing them, classification was working much better. Indeed, I don't
enter the discussion of the precision of the 3rd party regex classifiers.

Action i've taken is to add a note in the documentation.

Cheers,
Paolo


On Wed, Dec 02, 2009 at 10:53:04AM +, Paolo Lucente wrote:
 Hi Buddhike,
 
 On Wed, Dec 02, 2009 at 02:36:20PM +0530, Buddhike wrote:
 
http://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01397.html
  
   Any chance you can give it a try and post some feedback, ie. whether it
 
  yeah I've tried that with  pmacct-0.12.0rc3 and still the result is same.
 
 Thanks very much for your feedback; i believe Mike will then be on the
 same lines. Now, I'd like to help you but as i don't manage to reproduce
 the problem with my resources, to make it effective at this stage i would
 need access to your installations.
 
 If this is a viable option for either of you, please contact me privately
 to arrange this up.
 
 Cheers,
 Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Not save data in DB when exit

[Paolo Lucente]

Hi Slava,

On Tue, Dec 01, 2009 at 10:01:28PM +0200, Slava Dubrovskiy wrote:

 Yes, I remove sql_multi_values and it working. But as I understand this
 this give more performance.

Was suspecting so  correct.

 Is it possible use it? And it working good. Problem only when I stop it.

It has to be identified what is causing it. The problem it flags is
duplicates within the primary key. This is because the UPDATE query
cannot be used as part of the sql_dont_try_update (which, once again
gives better performances, so good it is enabled). 

You should get a few examples of which rows are clashing (take one
duplicate error message and search for that row in the database).
If stopping-starting-stopping pmacct in a very short sequence you
might obvioulsy have to clean up the database for the test to be
consistent. Verify whether the clash makes sense or not - given
your schema and configuration.

One last note: last time you posted your config, i recall you did
enable 'nfacctd_time_new' which is recommended when using NetFlow
in conjunction with these SQL directives. Is it still the case,
right?

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Layer 7 classification problem.

[Paolo Lucente]

Hi Buddhike,

On Wed, Dec 02, 2009 at 02:36:20PM +0530, Buddhike wrote:

   http://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01397.html
 
  Any chance you can give it a try and post some feedback, ie. whether it

 yeah I've tried that with  pmacct-0.12.0rc3 and still the result is same.

Thanks very much for your feedback; i believe Mike will then be on the
same lines. Now, I'd like to help you but as i don't manage to reproduce
the problem with my resources, to make it effective at this stage i would
need access to your installations.

If this is a viable option for either of you, please contact me privately
to arrange this up.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Not save data in DB when exit

[Paolo Lucente]

Hi Slava,

On Mon, Nov 30, 2009 at 03:03:41PM +0200, Slava Dubrovskiy wrote:

 I see such errors:

 [ ... ]

 DEBUG ( t2/mysql ): 3 VALUES statements sent to the MySQL server.
 ERROR ( t2/mysql ): Duplicate entry '0-5-2009-11-28 02:00:00' for key 1
 
 [ ... ]

 DEBUG ( t1/mysql ): 400 VALUES statements sent to the MySQL server.
 ERROR ( t1/mysql ): Duplicate entry
 '0-0.0.0.0-208.94.173.101-0-0-udp-2009-11-28 02:00:00' for key 1

Thanks for the extensive logging. You should be referring to the
two errors above, right? To better pin-point where the issue is,
it's good rule to remove the sql_multi_values: this allows to see
precisely which SQL statement is causing the issue. From there you
can check whether effectively this is something already in the
database and why.

The fact that you don't see anything written into the database 
when such errors pop up is normal due to the combination of the
sql_multi_values and sql_dont_try_update directives. A multi-value
query is effectively a single statement; so if one component fails
it negatively affects all the others. 

If this doesn't help; feel free to send me further SQL output,
commenting out the sql_multi_values. Perhaps this will get too
extensive; in such a case, send it privately and then we can
summarize over here.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] peer-AS calculation problem

[Paolo Lucente]

Hi Zenon,

On Wed, Nov 25, 2009 at 12:59:04PM +0200, Zenon Mousmoulas wrote:

 I am not sure if this affects nfacctd or, perhaps, if it overrides this 
 information by looking up the next-hop (and perhaps also the dst peer AS) 
 in the BGP RIB?

If i'm not mistaken you are not using the 'nfacctd_as_new' configuration
directive in your config - or it's not set to 'bgp'. If this is the case,
that key causes fields that can be grasped from multiple sources, ie. BGP
and NetFlow, like src_as, dst_as, bgp_nexthop to be looked up against BGP.
Default value is to look them up in the export protocol (NetFlow, sFlow).

Still if this holds, can you give it a try? 

Let me know.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct-contribs 20091125 released

[Paolo Lucente]

VERSION.
20091125


DESCRIPTION.
pmacct is a set of network tools to gather, filter and tag IP traffic;
it is able to store collected data either into a DB or a memory table.
We see any monitoring, billing or accounting environment as a stack
where data are picked from the network, get processed in a meaningful
way, and optionally formatted to be user-friendly. In the context of
this layered approach we also see pmacct residing at its lowest layer
(that is, just upon the network); once collected, often data need to
be pulled to upper layers of the environment for a range of applications
like time-based reporting, pricing model application, policy
enforcement, network thresholds handling, nice output to end-users.
pmacct-contribs aims to be over the time a collection, though not
exaustive, of scripts and works revolved around or topped over pmacct.


README.
http://www.pmacct.net/contribs-README


DOWNLOAD.
http://www.pmacct.net/pmacct-contribs-20091125.tar.gz


CHANGELOG.
+ (Stig Thormodsrud) quagga_gen_as_network.pl: a script to generate
  a AS number/network file (networks_file) in pmacct format from
  Quagga.


NOTES.
README contains the contributions list. New contributions are welcome;
support to existing contributions is also appreciated. Questions,
critics, suggestions, advices to existing contributions must be sent
to respective authors.


Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Not save data in DB when exit

[Paolo Lucente]

Hi Slava,

On Wed, Nov 25, 2009 at 09:04:24PM +0200, Slava Dubrovskiy wrote:

 Seems when I make kill INT PID_OF_CORE_PROCESS it down, but plugins do
 not write to database. I see delay before off for plugins, but not see
 that they change command line to DB writer. And not see data for period.
 
 Can you confirm that bug?

You should send a SIGINT to the plugins you want to write to the database,
not only to the core process (just wondering if it's written this way in
any part of the documentation). A 'killall INT pmacctd' should do it; or
if you need better granularity use the 'pidfile' directive to be able to
retrieve the PID for the plugins aswell.

Let me know how it goes.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] A strange thing with one traffic direction

[Paolo Lucente]

Hi Peter,

On Mon, Nov 23, 2009 at 10:45:38PM +0100, Peter Franzel wrote:

 I thing RX Traffic is brilliant, but why is there such a big difference 
 between TX bytes?! Is there something I am going wrong or where is the fault? 

I would essentially suggest to go in a couple of directions;
first do a bit of comparisons with tcpdump; pmacct would see
what tcpdump sees; except a) tcpdump considers non-IP traffic
(ie. ARP) and b) pmacct considers IPv6 traffic if configured
with the --enable-ipv6 switch.

If that still doesn't help, simplify your configuration for 
the duration of the troubleshooting phase; then proceed step
by step. 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Layer 7 classification problem.

[Paolo Lucente]

Hi Mike,

On Mon, Nov 23, 2009 at 02:00:04PM +0300, Mike Lykov wrote:

 By the way, L7-filter have two types of filter:
 The first speed shown for a pattern in the tables below is the speed when 
 used in the kernel (with the old V8 regular expression library). The second 
 is the speed when used in userspace (with the modern GNU library). 
 
 i.e.userspace version uses GNU regex(7) library. Are pmacct using it also? 

pmacct only embeds the first one. I've written for you a quick patch
(attached) which leverages regex coming with the SO (typically POSIX
compliant). It works for me on a Linux (x86_64) and a Solaris (sparc)
with the http classifier from L7-filter project - but it's also true
everything was working fine at some quick testing before.

Let me know if you see any improvements. If this is the case, i can
either replace the current implementation or add a knob in the coming
release. The patch should apply fine to 0.12.0rc3; if not, please use
code in the CVS.

Cheers,
Paolo

diff -ur pmacct/src/classifier.c pmacct.class/src/classifier.c
--- pmacct/src/classifier.c	2009-10-31 12:46:10.0 +0100
+++ pmacct.class/src/classifier.c	2009-11-23 13:57:11.0 +0100
@@ -157,7 +157,13 @@
 payload[y] = '\0';
 
 while (class[j].id  j  max) {
-  if (class[j].pattern) ret = pm_regexec(class[j].pattern, payload);
+  char match;
+
+  if (class[j].pattern.buffer) {
+	ret = regexec(class[j].pattern, payload, 0, (regmatch_t *) match, 0);
+	if (!ret) ret = 1;
+	else ret = 0;
+  }
   else if (*class[j].func) {
 	cc_node = search_context_chain(fp, idx, class[j].protocol);
 	cc_rev_node = search_context_chain(fp, reverse, class[j].protocol);
@@ -370,11 +376,12 @@
 Log(LOG_ERR, ERROR: Pattern in %s too long. A maximum of %d chars is allowed.\n, fname, MAX_PATTERN_LEN);
 	return 0;
   }
-  css-pattern = pm_regcomp(pre_process(line), linelen);
-  if (!css-pattern) {
-	Log(LOG_ERR, ERROR: Failed compiling regular expression for protocol '%s'\n, css-protocol);
-	return 0;
-  } 
+  memset(css-pattern, 0, sizeof(css-pattern));
+  ret = regcomp(css-pattern, pre_process(line), REG_EXTENDED|REG_ICASE|REG_NOSUB);
+  if (ret) {
+Log(LOG_ERR, ERROR: Failed compiling regular expression for protocol '%s' (%u)\n, css-protocol, ret);
+return 0;
+  }
 
   datatype = done;
   break;
@@ -452,7 +459,7 @@
   }
 
   link_conntrack_helper(css);
-  css-pattern = NULL;
+  memset(css-pattern, 0, sizeof(css-pattern));
   return 1;
 #else
   return 0;
diff -ur pmacct/src/classifier.h pmacct.class/src/classifier.h
--- pmacct/src/classifier.h	2006-11-19 16:16:07.0 +0100
+++ pmacct.class/src/classifier.h	2009-11-23 13:57:41.0 +0100
@@ -1,5 +1,5 @@
 #include dirent.h
-#include regexp.h
+#include regex.h
 #include conntrack.h
 
 /* defines */
@@ -27,7 +27,7 @@
 struct pkt_classifier {
   pm_class_t id;
   char protocol[MAX_PROTOCOL_LEN];
-  regexp *pattern;
+  regex_t pattern;
   pm_class_t (*func)(struct pkt_classifier_data *, int, void **, void **, void **);
   conntrack_helper ct_helper;
   void *extra;
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] MySQL options

[Paolo Lucente]

Hi Joel,

On Sat, Nov 21, 2009 at 12:43:19PM +1100, Joel Roberts wrote:

 I need to setup traffic accounting (in and out) for each IP address, and
 then export that data to an EXTERNAL mysql database on a separate machine
 accessible via IP address. How do I go about setting up pmacct to do this?

On the pmacct side, look at the sql_host configuration directive. Look at
MySQL documentation on how to a) let the daemon listen on a TCP/IP port and
b) setup user accounts which are going to connect remotely (GRANT queries).
There are plenty of examples on how to account in/out traffic per-IP address
around - some as part of the EXAMPLES document, some on Google. 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Layer 7 classification problem.

[Paolo Lucente]

Hi,

On Fri, Nov 20, 2009 at 05:06:25PM +0530, Buddhike wrote:

 I'm testing pmacct on my network, and pmacct runs on a box inbetween my LAN
 switch and My ADSL router, and i'm using layer 7 classifires for classify
 traffic. But when testing I observed that the traffic is not correctly
 displayed according to the classification some of the problems i've seen are
 listed below.
 
 1. Most of the http traffic are classifed as finger.
 2. All the other traffic are also shown either as unknown or in some other
 non-relevant protocols.

There was a very similar thread going on few days ago - and still not solved;
you can check it out at the link below:

http://www.mail-archive.com/pmacct-discussion@pmacct.net/msg01374.html

You can perform some troubleshooting as per that thread and see if it helps.
Otherwise, it has to be debugged and at a glance feeling is that the issue
is not lying in the pmacct domain. FYI, pmacct leverages both regexp engine
and classifiers of the L7-filter project. 

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] invalid network mask?

[Paolo Lucente]

Hi Charlie,

It appears you didn't put the table in the correct format first. Is
it the case? If yes, to make that table pmacct-friendly you have to
pre-process it as follows:

cat bgptable | sed 's/\([0-9a-f:][0-9a-f\.\/:]*\).* \([0-9][0-9]*\)[ 
0-9,{}]*$/\2,\1/' | uniq  networks.lst

At least it works fine with GNU sed. And do consider this was really
a 5 minutes job, so double-check accuracy of the output.

Btw, indeed yes line numbers should be included in logging messages
upon detecting errors; this is the case for other checks, apparently
not for this one. Just fixed it, will commit a patch to the CVS soon.

Cheers,
Paolo


On Thu, Nov 19, 2009 at 11:54:05AM +, Charlie Allom wrote:
 Hi Paolo,
 
 would it be useful to include the line number that causes the error
 here?
 
 I've put the file here: http://capslock.playlouder.com/bgptable.gz
 
 11:50 pmacct:~# md5sum bgptable
 578e6138f9e5b3d84c09415ce9d1d019  bgptable
 
 NetFlow Accounting Daemon, nfacctd 0.12.0rc3
 
 
 11:48 pmacct:~# nfacctd -f /etc/nfacctd.conf
 INFO ( default/pgsql ): 131070 bytes are available to address shared memory 
 segment; buffer size is 1024 bytes.
 INFO ( default/pgsql ): Trying to allocate a shared memory segment of 
 33553408 bytes.
 ERROR ( /home/charlie/bgptable ): Invalid network mask '2147483647'.
 [ ... ]



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Problem with aggregate_filter

[Paolo Lucente]

Hi,

On Thu, Nov 19, 2009 at 04:00:33PM +0530, Buddhike wrote:

 I've searched on google but didn't find any examples with mac adresses but
 with src/dst networks. But i didn't seen any records saying that
 aggrigate_filter can't be used with src mac and dst mac option. anyway I
 tested it with the following config file but it didn't worked.

Remember filters in pmacct follow tcpdump/libpcap syntax - so you can always
check tcpdump man page when in doubt. The correct syntax is ether src and
ether dst.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] create my own mysql table

[Paolo Lucente]

Hi,

On Mon, Nov 16, 2009 at 04:45:57PM -0600, fedora fedora wrote:

 DEBUG ( default/mysql ): INSERT INTO `test_1` (stamp_updated,
 stamp_inserted, ip_src, ip_dst, as_src, as_dst, src_port, dst_port,
 tcp_flags, ip_proto, packets, bytes, flows) VALUES
 (FROM_UNIXTIME(1258410661), FROM_UNIXTIME(1258410600), 'x.x.x.34',
 'x.x.x.2', xx8, xx9, 443, 2608, 24, 'tcp', 1, 1353, 140733193388033)

Thanks, for the output. So, only the 'flows' primitive is involved.
Hopefully last bit of information i need is: which NetFlow version
are your routers exporting to pmacct? If v8, which profile? If v9,
you doing anything fancy with it (ie. aggregated NetFlow)? Roughly
a week ago i committed to the CVS a minor patch to initialize some
variables used at some stage to convert values as counters; can you
please see if the version currently in the CVS behaves any better?

 So pmacct keeps tracking the traffic count and and the end of the given
 minutes(hours..etc) it calculates the summary and then writes it to the
 backend database, am I right?

Yes pmacct SQL plugins feature a cache to accumulate counters. Then the
scanner kicks in at regular intervals (by default 60 secs) and writes to
the database. If sql_history matches sql_refresh_time (or is a multiple)
then each aggregate is written with a SQL INSERT query; otherwise UPDATE
queries are involved. 

 If I am correct, how does pmacct treat netflow data? since all the data it
 gets already get aggregated by netflow protocol. Will pmacct do something
 extra?
 
 I guess for sflow, it will act differently and do the calculations.

Basic thing to consider is pmacct is not a packet/sample/flow logger.
This is partly highlighted by Q5 in FAQS. It performs data reduction,
ie. temporal aggregation, spatial aggregation, filtering, sampling (or
sub-sampling). Timestamps part of the export protocol, ie. NetFlow or
sFlow, are used to assign data to a time-bin, when using a SQL plugin
(as the in-memory table plugin doesn't have such a concept; you simply
grabclean data at regular intervals).

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] protocol classification don't detect http

[Paolo Lucente]

Hi Mike,

On Tue, Nov 17, 2009 at 02:27:06PM +0300, Mike Lykov wrote:

  I would suggest a couple of checks:
  * see if HTTP traffic is reaped by some other classifier, but i guess
you might have already checked that. 
 
 if class_id = unknown, i think it's not this case.

Yes, correct. But are you getting all the web traffic? I mean, I see you
are a) not collecting TCP/UDP ports and b) using an aggregate_filter. Is
it web traffic the one left as unknown or something else? Any chance
some web traffic is being filtered out, ie. because some mirrored data
is VLAN-tagged? You can test this by commenting out the aggregate_filter.

  * see if the HTTP classifier is written correctly. Not referring only
to the regexp but to the overall syntax. The implemented format is
*veeery* sensible to tabs, spaces, white lines, etc. So try to keep
it essential. Strip comments and empty lines out.
 
 I delete all comments from file
 
 [r...@router ~]# cat /var/local/pmacct/classifiers/http.pat
 http
 http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d 
 -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* 
 http/[01]\.[019]
 
 What else may I try to?

Try with a simplified (and polished up) filter. See if the memory table
plugin behaves any differently/better compared to the SQL one (this is
an always-good troubleshooting step). Increase classification tentatives
although with http traffic it should make no difference. After all, if
http-marked traffic makes it in the database, as per your previous email,
it means the regexp engine itself is working.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] protocol classification don't detect http

[Paolo Lucente]

Hi Mike,

I see all of those signatures actually working by picking some sites
randomly with wget. This is with 0.12.0rc3 but honestly speaking there
has not been any major work related to the classification part for the
past 3-4 years.

I would suggest a couple of checks:
* see if HTTP traffic is reaped by some other classifier, but i guess
  you might have already checked that. 
* see if the HTTP classifier is written correctly. Not referring only
  to the regexp but to the overall syntax. The implemented format is
  *veeery* sensible to tabs, spaces, white lines, etc. So try to keep
  it essential. Strip comments and empty lines out. 

Let me know.

Cheers,
Paolo


On Mon, Nov 16, 2009 at 01:13:03PM +0300, Mike Lykov wrote:
 Hi all on this list.
 
 I am try to install pmacct + protocol classification feature and want to ask 
 some question about it.
 
 pmacct + pmacct_v5 base + set of .pat files from l7filter site. See results:
 
 successfully detect ftp,nntp,subversion,jabber,ssh,dns,pop3,smtp
 detect connection to jabber-icq gate as rtp
 detect ntp as edonkey
 don't detect http and http-ssl at all
 don't detect irc (tested on irc.freenode.org + irssi), whois (whois.ripn.net 
 + console whois)
 
 False detections rtp/edonkey is a little   inconvenience, but not to 
 detect http at all is a big disappointment!
 
 I try some variants of regexp:
  simple HTTP/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]
 default http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d 
 -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* 
 http/[01]\.[019]
 second default http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9]|post [\x09-\x0d -~]* 
 http/[01]\.[019]
 
 [ ... ]
 
 Anybody here with http classification working? ;) 


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] create my own mysql table

[Paolo Lucente]

Hi,

On Mon, Nov 16, 2009 at 11:58:14AM -0600, fedora fedora wrote:
 I still see all flow records having the same number 4294967295 in my mysql
 table, and debug does not seem to tell me why this happens.

How do you mean? You see that number appearing in the debug? As writing
to the database is done through a library (MySQL client library), I'm
trying to establish what is generating the issue. Can you also say what
version of MySQL you are using, which OS and which architecture you are
running pmacct on?

 And I have another question about the sql_history, what exactly is this? I
 have read the configuration keys several time but I am still not sure. If
 I set it to 5m, does it mean pmacct will hold and count the data internally
 until the end of the 5 minutes then send the final statistic to mysql?

It means you have 5 minutes traffic counters (temporal aggregation). The
SQL cache scanner sets how often you write to the database. You can have
a sql_history set to 5 minutes but have the SQL scanner to kick in every
minute (sql_refresh_time: 60). There are more advanced considerations to
do at this propo - which are useless to start with and that you can read
of in CONFIG-KEYS, sql_dont_try_update feature. Overall, best is to start
blank with relevant sections of the sql/README.mysql and EXAMPLES documents
in the distribution tarball - and then complicate things bit by bit.

Btw, sql_history_roundoff is also a very useful directive to be coupled
almost always with sql_history, for example:

 sql_history: 5m
 sql_history_roundoff: h

It nicely aligns the time bins to the hour boundary. Again, perhaps give
it a try to see the effect.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] create my own mysql table

[Paolo Lucente]

Hi,

On Fri, Nov 13, 2009 at 04:21:26PM -0600, fedora fedora wrote:
 Thanks for the reply, i disable the daemon option and here are the error
 messages, i cannot put src_ip and src_as together?
 
 INFO ( default/mysql ): 131070 bytes are available to address shared memory
 segment; buffer size is 128 bytes.
 INFO ( default/mysql ): Trying to allocate a shared memory segment of
 2097024 bytes.
 INFO ( default/core ): waiting for NetFlow data on 0.0.0.0:1
 ERROR ( default/mysql ): SQL tables  v6 are unable to mix IP addresses and
 AS numbers (ie. src_ip, src_as).
 INFO: connection lost to 'default-mysql'; closing connection.

Simply add to your config a 'sql_table_version: 6' line. Then, the 
'sql_optimize_clauses' directive ensures you can customize your table.
Q16 in the FAQS document explains the concept of SQL table versioning
in pmacct.

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] create my own mysql table

[Paolo Lucente]

Hi,

On Fri, Nov 13, 2009 at 05:10:35PM -0600, fedora fedora wrote:
 sorry, one more question, when preparing the aggregate, does the order of
 the values matter? right now my aggregate is like the following

No, doesn't matter.

  One more question, how can i get pmacct to show the flow number in the
  database? I got all 0 ,and when i change to aggregate to 
  aggregate:proto,src_host, dst_host, src_port, dst_port, src_as, dst_as,
  tcpflags,flows
   all the numbers are one same pretty big number

MMM, sounds strange. Also, don't manage to reproduce either of the two
scenarios by playing your configuration on a test box. The same pretty
big number smells like dirty data? Enable debug and you should see on
the screen which SQL queries are generated by pmacct and sent to the
MySQL database. 

  Also i will have to read what exactly does  stamp_inserted , and
  stamp_update mean..

pmacct has a concept of time bins - which you are currently not using in
your config (but you can easily add the line sql_history: 5m and see). 
sql_inserted is the base time of the time bin; sql_history directive in
the configuration sets the length of such time bins; stamp_updated says
about when a specific SQL record was touched for the last time by pmacct.
Useful for troubleshooting purposes and general reference - not to infer
time bins' length.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] NAT question

[Paolo Lucente]

Hi JF,

As Karl said, libpcap looks what's on the wire and pmacct doesn't
get further up in the packet layering. You can always do a quick
check by verifying what tcpdump sees. 

While on NAT  Linux, and perhaps not related to this specific
issue: the uacctd daemon has been introduced in pmacct as of
0.12.0rc3: it relies on the ULOG framework for packet capturing
and should give increased flexibility (prerouting, postrouting,
etc.) in scenarios where one does accounting on the same Linux
box which is also doing the NAT. 

Cheers,
Paolo


On Thu, Nov 12, 2009 at 12:24:34AM -0500, JF Cliche wrote:
 Maybe a newbie question, so I'll be brief:
 
 I am behind two NAT routers (Linksys running DD-WRT) with port
 forwarding up to the machine running pmacct, and yet pmacct reports
 SSH traffic to the forwarded port with the public (external,
 non-NATed) addresses. I thought all traffic should be seen as coming
 from the second router private address. Is pmacct (or underlying pcab
 library) getting the public address from extra data encapsulated in
 the TCP packets by the routers or in the SSH protocol? I've seen the
 opposite problem being discussed in this forum, but not this...
 
 JF
 
 
 -- 
 
 Jean-Fran?ois Cliche, Ph.D., P. Eng



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] No Sqlite3 logging

[Paolo Lucente]

Hi JF,

On Mon, Nov 09, 2009 at 05:09:40AM -0500, JF Cliche wrote:

 debug: true
 syslog: kern
 plugin_buffer_size: 10240
 plugin_pipe_size: 10240
 interface: egiga0
 daemonize: false
 promisc: false
 sql_cache_entries: 2
 plugins: sqlite3[in]
 sql_max_writers: 2
 pidfile: /vol1/pmacct.pid
 sql_db: /vol1/pmacct.db
 aggregate[in]: dst_host
 aggregate_filter[in]: dst net 11.0.3.0/24
 sql_table[in]: acct
 sql_table_version: 1
 sql_refresh_time: 5

From the debug output you posted, it looks everything is OK (database
exists, file permissions are fine, etc.) - except pmacct doesn't have
any data to report. Can you please comment the 'aggregate_filter' out?
Another chance is that the daemon is bound to an interface with almost
no traffic and hence the plugin_buffer_size/plugin_pipe_size couple is
buffering and hence hiding traffic out.

While here, i would suggest to review the following things from the
above config - perhaps good if/when you go in production:
* remove the 'sql_cache_entries: 2' line or perhaps explain the goal
  you want to achieve. This sets the number of buckets of the hashed
  SQL cache structure and can lead to sustained CPU utilization, if
  configured incorrectly. 
* remove the 'sql_max_writers: 2' line to at least 10; or increase
  sql_refresh_time
* increase sql_refresh_time to something more sensible 60-120 secs;
  unless indeed this is done on purpose. 
* Try to keep plugin_pipe_size in the 1000*plugin_buffer_size area

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] No Sqlite3 logging

[Paolo Lucente]

Hi JF,

On Mon, Nov 09, 2009 at 10:26:35AM -0500, JF Cliche wrote:

 In any case, I cleaned- up my config file and made sure I filter
 nothing (see config below). I rechecked pmacctd using the memory
 plugin and data is being gathered. Then I relaunched with the sqlite3
 plugin. 'pmacct -s' still generate an error: the pipe file is not
 created. And a large number of sqlite3 writer processes are created.

The pmacct client tool is only useful to interact with the memory
plugin; when you are using only the sqlite3 plugin, it tries to see
if a memory plugin is listening on the pipe file - but nothing is
there and hence it triggers the error. I would say this is all OK.

 ...
 ( in/sqlite3 ) *** Purging cache - START ***
 ( in/sqlite3 ) *** Purging cache - END (QN: 0, ET: 0) ***
 WARN ( in/sqlite3 ): Maximum number of SQL writer processes reached (10).
 ( in/sqlite3 ) *** Purging cache - START ***
 ( in/sqlite3 ) *** Purging cache - END (QN: 0, ET: 0) ***
 ...

Now, this part is interesting. As you said, writer processes seem to
not be replenished - while they should be shortly after each END
debug message you see above; and also it seems the writer process is
unable to dump the SQL cache content into the database (as the query
number, QN, stays at zero while you produce some traffic; moreover
such traffic is reaching the sqlite3 plugin no problems as you can get
the buffering error ERROR ( in/sqlite3 ): We are missing data from
the plugin). 

To rule out some configuration issue, i've copy/pasted your config
on a testbed - and i see it working fine. This and the fact that the
memory plugin works fine (it has a different way of working compared
the SQL plugins) suggests me the issue could be at a lower level.

I can propose some solutions: 1) allow me to troubleshoot the issue;
this would require an access to the NAS (and feel free to bring this
over privately); 2) if the above is not possible a clean alternative
might be let pmacct to write to a remote SQL database, either MySQL
or PostgreSQL; it has to be checked you don't run in the same SQLite
issue first; 3) check whether what you want to achieve, can be done
with the memory plugin.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] tracking traffic flowing through a specific AS-path

[Paolo Lucente]

Hi Zenon,

On Thu, Oct 29, 2009 at 10:09:16AM +0200, Zenon Mousmoulas wrote:

 BGP RIB lookups. However, for traffic flowing from sources behind
 that path (inbound for us), how would one go about doing just that?

 [ ... ]
 
 This is quite similar in concept to the mechanics of calculating the
 source peer AS: an RPF lookup would be required again, which should
 return the AS-path instead of the next-hop. Of course once again we
 have the assumption that routing is symmetric, which however in
 internet environments is far from the truth, but it's still better
 than nothing. How difficult would it be to implement this so that we
 could have a src_as_path aggregation primitive?

Implementing a trivial src_as_path is quick and easy ... but is that
any useful? It's something non-deterministic and it's also not always
possible to infer whether it's correct or pure rubbish. When i posed
myself that question some time ago, i thought that even if a trivial
implementation takes just a couple of hours, bottom line it's time
wasted. 

I guess on a topic like src_as_path there is margin for a study,
some research or at least some ample discussion maybe bringing in
further interested people (coming from the NREN world, you perhaps
can think of somebody at this propo?) with the goal of coming up
with something clever. 

Recently, for example, having spoken to somebody on similar topics
i started wondering if further information about ingress traffic is
better inferred from the network itself (say: BGP, NetFlow, TTL
values, etc.), from out-of-band data (say: AS macros, RIPE data,
etc.) which would be all part of a map or a mix of the two. 

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Long sflow BGP configuration

[Paolo Lucente]

Dear Maxence,

On Wed, Oct 28, 2009 at 10:56:20AM +0100, Maxence Rousseau wrote:

 I didn't understood all the documentation... Do I need to use pmacctd ?
 It seems not necessary because sfacctd is able to launch BGP thread and
 log to mysql. What's the need of the pmacctd process in my case ?

Correct. Getting data via sFlow, you have to deal with sfacctd only. 

 The logging to the MySQL db is working correctly but a lot of
 information are missing :
 DEBUG ( default/mysql ): INSERT INTO `acct_bgp` (stamp_updated,
 stamp_inserted, as_src, as_dst, as_path, local_pref, med, peer_as_src,
 peer_as_dst, peer_ip_src, peer_ip_dst, agent_id, comms, packets, bytes)
 VALUES (FROM_UNIXTIME(1256724001), FROM_UNIXTIME(1256723400), 34383, 0,
 '', 100, 0, 0, 0, '192.168.5.1', 'WAN_IP', 0, '', 2, 509)
 
 As you can see, in my configuration below, i've set the bgp
 update-source IP the same than sflow agent-ip. Is it enough to able to
 match informations between sflow  bgp ? How can I see than the match is
 working ? 

The correlation between sFlow and BGP is working as, as it can be seen
from the query above src_as, local_pref and peer_ip_dst (BGP next-hop)
are resolved fine. All of that comes from BGP. As what is missing above
is roughly as_dst, peer_as_dst, as_path (and there are no communities
attached): is it not possible this is something redistributed in BGP
(ie. a static or a connected route or a route injected from some other
protocol)?

Two troubleshooting steps that helped recently (thanks to Zenon from
GRNET for his cooperation at this propo) are:

* temporarily set to true 'bgp_daemon_msglog' to have a debug of all
  the BGP routes (and their attributes) being exported from the peer(s)

* temporarily increase resolution of the aggregation, ie. add src_host
  and/or dst_host, so that specific issues can be pin-pointed.

 (I cannot change it), in the documentation the match between sflow  BGP
 is done with the source IP address from BGP  sflow, so the router-id
 seems not useful except for more clear log messages. Correct ?

Correct.

 Some information are available in sflow (viewed with sflowtool) like
 my_as,src_peer_as but are not logged. Why ? Because we wait them from
 the BGP ?

Correct. Disabling the 'sfacctd_as_new' makes as_src and dst_as populated
from sFlow and the rest from BGP. peer_as_src is instead populated via a
map: see pages 15-18 of http://www.pmacct.net/lucente_pmacct_uknof14.pdf

Your pmacct and router configs also appears correct. 

 When all will be up, I will be able to post on the wiki a complete
 configuration step by step for this exact configuration.

Thanks, that would indeed be much appreciated. You (or I if you give
me the link at some stage) can cross-link it from the pmacct wiki to
give it even further visibility.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Long sflow BGP configuration

[Paolo Lucente]

Hi Maxence,

On Wed, Oct 28, 2009 at 03:38:59PM +, Maxence Rousseau wrote:

 The information seems perfect, sample :
 INFO ( default/core/BGP ): [Id: ROUTER-ID] u Prefix: '208.74.16.0/21'
 Path: '174 3549 32952' Comms: '174:21000 174:22013' EComms: '' LP: '100'
 MED: '82011' Nexthop: 'WAN_IP_ROUTER_TRANSIT_AS_174'

 [ ... ] 

 192.168.5.1  PEER_DST_IP SRC_IPDST_IP   0 0
 0  ip  0  1   0   200

What is not clear to me: is DST_IP part of the IP prefix listed above
or the two examples are unrelated? Otherwise: what are the BGP attributes
related to the IP prefix of which DST_IP is part of?

If you feel you want to go private, in order to give me a clear example,
and then summarize on-list feel free. Btw, for troubleshooting purposes,
it can also be useful to know what is the role of the sFlow/BGP exporter
in the network, which interfaces/direction sFlow is enabled (is it on the
IP transit ports, ingress direction or what?) and a brief description of
the network topology.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

[pmacct-discussion] pmacct 0.12.0rc3 released !

[Paolo Lucente]

VERSION.
0.12.0rc3


DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL) databases and export them through NetFlow or sFlow
protocols to remote collectors. pmacct supports fully customizable
historical data breakdown, sampling, filtering and tagging and
triggers. Libpcap, Netlink/ULOG, sFlow v2/v4/v5 and NetFlow v1/
v5/v7/v8/v9 are supported, both unicast and multicast. Also, a
client program makes it easy to export data to tools like RRDtool,
GNUPlot, Net-SNMP, MRTG, and Cacti.


HOMEPAGE.
http://www.pmacct.net/


DOWNLOAD.
http://www.pmacct.net/pmacct-0.12.0rc3.tar.gz


CHANGELOG.
+ Support for NetFlow v9 sampling via Option templates and
  data is introduced; this is twofold: a) 'nfacctd_renormalize'
  configuration directive is now able to renormalize NetFlow v9
  data on-the-fly by performing Option templates management; b)
  'nfprobe', the NetFlow probe plugin, is able to flag sampling
  rate (either internal or external) when exporting flows to the
  collector.
+ '[pm|u]acctd_ext_sampling_rate' directives are introduced to
  support external sampling rate scenarios: packet selection is
  performed by the underlying packect capturing framework, ie.
  ULOG, PF_RING. Making the daemon aware of the sampling rate,
  allows to renormalize or export such information via NetFlow
  or sFlow.
+ pmacctd: the IPv4/IPv6 fragment handler engine was reviewed
  to make it sampling-friendly. The new code hooks get enabled
  when external sampling (pmacctd_ext_sampling_rate) is defined.
+ A new 'uacctd' daemon is added to the set; it is based on the
  Netlink ULOG packet capturing framework; this implies it works
  only on Linux and can be optionally enabled when compling by
  defining the '--enable-ulog' switch. The implementation is
  fully orthogonal with the existing feature set. Thanks very
  much to: A.O. Prokofiev for contributing the original idea
  and code; Stig Thormodsrud for his support and review.
+ The 'tag2' primitive is introduced. Its aim is to support
  traffic matrix scenarios by giving a second field dedicated
  to tag traffic. In a pre_tag_map this can be employed via the
  'id2' key. See examples in the 'examples/pretag.map.example'
  document. SQL plugins write 'tag2' content in the 'agent_id2'
  field. Read 'sql/README.agent_id2' document for reference.
+ Some new directives to control and re-define file attributes
  written by the pmacct daemons, expecially when launched with
  increased priviledges, are introduced: file_umask, files_uid,
  files_gid. Files to which these apply include, ie. pidfile,
  logfile and BGP neighbors file.
! fix, bgp/bgp.c: upon reaching bgp_daemon_max_peers threshold,
  logs were flooded by warnings even when messages were coming
  from a previously accepted BGP neighbor. Warnings are now sent
  only when a new BGP connection is refused.
! fix, nfprobe/netflow9.c: tags (pre_tag_map, post_tag) were set
  per pair of flows, not respecting their uni-directional nature.
  It was generating hiding of some tags.
! fix, nfprobe/netflow9.c: templates were (wrongly) not being
  included in the count of flows sent in NetFlow v9 datagrams.
  While this was not generating any issues with parsing flows,
  it was originating visualization issues in Wireshark.
! fix, SQL plugins: CPU hitting 100% has been determined when
  sql_history is disabled but sql_history_roundoff is defined.
  Thanks to Charlie Allom for reporting the issue.
! fix, sfacctd.c: input and output interfaces (non-expaneded
  format) were not correcly decoded creating issues to Pre-
  tagging. Thanks to Jussi Sjostrom for reporting the issue.


NOTES.


Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] peer-AS calculation (plus netflow v9 sampling) questions

[Paolo Lucente]

Hi Zenon,

On Tue, Oct 27, 2009 at 01:16:06PM +0200, Zenon Mousmoulas wrote:

 1. Does bgp_peer_src_as_map apply both to src and dst AS or only the
 first? In any case, I don't understand how bgp_nexthop can be used
 for calculating the peer src AS, since that field applies to the
 destination recorded in the flow record?

As the name says, bgp_peer_src_as_map applies to the src peer AS
only. bgp_nexthop check in the context of bgp_peer_src_as_map is
employed to do a reverse lookup on the source IP prefix and check
the bgp_nexthop (ie. where the ingress router would route to the
source IP prefix) is what you expect (ie. traffic is symmetric).
Makes sense?

 2. Does bgp_peer_src_as_map work with as-aggregated netflow?
 Actually a broader question is if any of BGP lookup features work
 when using any form of aggregated flow records where src/dst IP
 address is not available.

Broader question is good: correlation of NetFlow and BGP is done
by looking up source and destination IP prefixes in NetFlow into
the BGP RIB. If you aggregate IP addresses logically to the network
boundaries - then it's still OK. If you aggregate by removing the
IP layer at all and export only AS numbers, well, it will not work
anymore ... but you are raising a very valid point. 

IHMO, it would be good to put some efforts in this direction - 
specifically, before even developing something general-purpose, it
should be seen how much accuracy is affected by rather common
de-aggregation or prefix load-balancing practices on the internet:
ie. i have one AS, two /18 allocations, two upstream provider: i'll
advertise a /18 here and one there. 

 3. In BGP peerings it is quite common practice to advertise
 next-hop self for a number of different, valid reasons. I am right
 to assume such a practice effectively renders useless any next-hop
 based lookups?

iBGP or eBGP? Can you bring an example?

 On an different topic: I have seen that nfacctd detects and supports
 netflow v5 sampling, but I am not sure if this is also true for v9.
 It may have been mentioned somewhere/discussed previously, but I
 have been unable to dig it up. I am fully aware however that
 detecting sampling in netflow v9 PDUs does require a lot more
 work...

NetFlow v9 sampling is supported as of 0.12.0rc3 (which is currently
in the CVS and due to be released ... soonish). 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] dumping stored netflow into nfacctd

[Paolo Lucente]

Hi Charlie,

The 'nfacctd_time_new' directive is by default set to false, meaning
original timestamps would be honoured (and aggregates inserted in the
correct time-bin). 

Would also suggest to ensure keeping the 'sql_dont_try_update' to false
(which is the default) - as you are going to do something which is not
real-time (hence the 'sql_startup_delay' can't be of help) and you might
incur into the situation something has to be UPDATEd.

Cheers,
Paolo


On Mon, Oct 26, 2009 at 02:39:40PM +, Charlie Allom wrote:
 Hi,
 
 I have multiple gigs of stored netflow data from nfacpd.
 
 Would 'replaying' it back into nfacctd cause the process to recognise
 any old timestamps or would it think it's new traffic?
 
 eg.
 # for i in * ; do nfreplay -H 192.168.2.111 -p 3001 -r $i ; done
 #
   C.
 -- 
  Media Service Provider Ltd.
  http://blog.playlouder.com/
  http://as47998.net/
  020 7729 4797

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Productivity Pre-Tagging [was] Traffic count only for certain networks

[Paolo Lucente]

Hi Slava,

Although tagging can play in your case a key (negative) role under
sustained loads, i wouldn't know if it is the prime contributor to
such hang ups. 

The log below tells that either the router itself is unable to
export all the NetFlow data or such data gets lost before making
it to the collector (network, kernel buffers, etc.). Such sequence
checks can be avoided with the aim of avoid massive logging and in
turn relief CPU load: nfacctd_disable_checks set to true.

What occurs when the Core Process has not time to handle all traffic?
Well, nfacctd reads data from a socket; and a socket at the very end
manages a buffer of a certain size. If nfacctd is too slow to pick
data out of the buffer compared to the arrival rate, there will be
some data loss. At this propo: is buffering enabled within nfacctd
(ie. plugin_pipe_size, plugin_buffer_size) ?

Is it not also an idea, if possible (depends on the router) and for
the benefit of the whole solution, to introduce sampled NetFlow?

Cheers,
Paolo


On Mon, Oct 26, 2009 at 07:57:17PM +0200, Slava Dubrovskiy wrote:

 [ ... ]

 Throughout our conversation about traffic accounting has noticed that
 periodically the daemon nfacctd hangs up.
 It happens when the quantity of packages strongly increases more then
 50kpps (during DDoS).
 In log I see:
 
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '4333297' but
 received '403' collector=???^^B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '405' but
 received '406' collector=???^^B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '407' but
 received '420' collector=^H^_B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '421' but
 received '432' collector=^T^_B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '433' but
 received '446' collector=^_B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '447' but
 received '456' collector=,^_B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '457' but
 received '463' collector=3^_B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '464' but
 received '478' collector=B^_B:8818 agent=192.168.21.1:129
 Oct 25 18:59:48 stat nfacctd[3379]: WARN: expecting flow '479' but
 received '4333400' collector=X^_B:8818 agent=192.168.21.1:129
 
 After this nfacct stop listen port and not working.
 
 Question:
 What occurs, when the Core Process has not time to handle all traffic?
 How it is possible to increase productivity Pre-Tagging?


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] BGP-related fields do not show up in the memory table

[Paolo Lucente]

Hi Zenon,

Thanks very much for your feedback first of all; please follow my
replies in-line.

On Fri, Oct 23, 2009 at 02:23:34AM +0300, Zenon Mousmoulas wrote:

 I am exporting netflow v9 (non-aggregated, for the time being) from
 a Cisco router (12000/PRP with 12.0S) to nfacctd (0.12.0rc2). I have

Can i ask you which 12.0S IOS version the C12k is running precisely?
 
 However, I can not see this information in the memory table, for
 example:

Your configuration, bgp_agent_map and overall setup appears correct.
I've double-checked by reproducing the scenario on a testbed before
replying. I find two possible explanations on what's happening:

* if you compiled the package with support for IPv6 (--enable-ipv6)
  - doesn't appear so, but better ask - the bgp_agent_map should be
  rewritten as:

  id=x.x.x.7 ip=:::x.x.x.10

* the BGP Router-ID is set as x.x.x.7 but effectively BGP session is
  established by using a different IP address, ie. you didn't impose
  the neighbor ... update-source interface or you did but the
  interface has multiple IP addresses assigned and another one is
  picked.

Let me know on this.

 Also, in the table above, AS 0 should be the exporting router's own
 AS (5408) but it isn't, probably because the corresponding prefixes
 are known via the IGP. Is it possible to translate with pre_tag_map?
 Any other ideas?
 I am reluctant to use 'nfacctd_as_new: bgp' RIB lookups since we
 probably have this information already (exporter is setup for
 origin-as).

I see two possible cases for the AS 0, IHMO one more likely the
other slightly less: 

* It could be static or connected routes redistributed in BGP; in
  such a case you can use communities to assign a fictious ASN
  to people on your own IP address space (see section XIc of the
  EXAMPLES document, the bgp_stdcomm_pattern_to_asn entry in the
  CONFIG-KEYS document and pages 19-20 of the following presentation:
  http://www.pmacct.net/lucente_pmacct_uknof14.pdf

* It could be, as you said, a prefix lying in the IGP; in such a
  case you have two options: 
  - as you said, pre_tag_map. Note rc3, which will hopefully be out
very soon (by end of the month), will include a tag2 field (ie.
a second field dedicated to tagging) - very useful when building
traffic matrices.
  - You might re-distribute these routes in BGP; network-wise it
will cost slightly more memory (you shouldn't have that many
routes in the IGP, do you? Would expect in the order of a few
thousands if not less) while from a pure routing perspective,
the IGP will always win due to the higher protocol preference.
Having the prefixes in BGP will enable you to get back to the
previous case and use the bgp_stdcomm_pattern_to_asn feature.

Very open to feedback, privately or here on list, on this matter.

 Finally I should note that I am seeing some occasional warnings in
 the debug log of nfacctd about unknown templates:
 
 DEBUG ( default/core ): Discarded NetFlow V9 packet (R: unknown
 template 257 [195.251.27.10:259])
 
 The exporter is supposed to be resending the template every 20
 packets (the default); I did a packet capture and it looks like it
 is regularly doing so.

Would you mind sending me privately a brief capture of the template
and possibly a few NetFlow packets containing flowsets that match
such template?

Cheers,
Paolo

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] BGP-related fields do not show up in the memory table

[Paolo Lucente]

Hi Zenon,

One additional point to my previous reply.

On Fri, Oct 23, 2009 at 02:23:34AM +0300, Zenon Mousmoulas wrote:

 I am reluctant to use 'nfacctd_as_new: bgp' RIB lookups since we
 probably have this information already (exporter is setup for
 origin-as).

Very true. And it depends on your goals whether that is sufficient
or not. An important piece of information, for peering purposes for
example, is correlating peer-as and origin-as. Getting ASN info
straight from BGP enables you to do that. Perhaps also add BGP
next-hop if peering with the same people at multiple places or
for a bit of traffic engineering - granted that the network is
is running MPLS; but because you run NetFlow v9, you should be
able to get BGP next-hop from there aswell. 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Using nfacctd as netflow probe with high traffic levels

[Paolo Lucente]

Hi Chris,

Was wondering if it could be a counter-rollover issue. Did you configure
pmacct to compile with the --enable-64bit knob? 

Apart from the above - given you are aggregating on src_host,dst_host
in pmacct, to save some precious space on your Sup720 NetFlow TCAM, i
would recommend to use the mls flow ip interface-destination-source
profile instead. 

Just curiosity: did you enable that mls netflow interface on purpose
or it's there by itself?

Cheers,
Paolo


On Sun, Oct 11, 2009 at 07:46:53PM +0200, Chris Hellkvist wrote:
 Hi,
 
 i just set up pmacct and try to use nfacctd as netflow collector with
 a mysql backend for accounting purposes.
 The netflow v5 data is generated by a Cisco device with a sup720-3bxl
 card and several GigE interfaces and sent to a FreeBSD box running
 nfacctd. nfacctd is configured to store the data in a msysql datase on
 a remote server.
 After playing with some config options everything runs fine on the
 first tests with only one vlan-interface generating netflow data (a
 single customer with about 1000 mbits traffic on the vlan-interface).
 nfacctd receives the data, summarizes it according to the networks
 list and puts it into the mysql database every minute. The daily value
 for this customer looks like this when selected every minute from the
 database:
 2051 GB, 2058 GB, 2069 GB, 2074 GB, 2079 GB, 2085 GB, 2091 GB
 This values are coherent for the traffic load on the interface.
 
 So i started configuring other interfaces to generate netflow data on
 the Cisco device (about 1800mbits traffic). After this, the system
 logs only about 1GB every minute for the same customer:
 2106 GB, 2107 GB, 2108 GB, 2109 GB, 2110 GB, 2112 GB, 2113 GB
 
 (I'd say that there is some lack of traffic ;-) )
 Now i'm trying to figure out where the data gets lost. The load on the
 nfacct-box and the database servers is little (not more that 0.3 at
 all time). I ran nfacctd in debug mode, but i did not find any
 messages giving me a hint.
 Also on the cisco box everything looks fine, no high cpu or memory load.
 
 For the records, a snippet of my nfacctd-config:
 daemonize: true
 #debug: true
 networks_file: /root/conf/agtv-nets.list
 aggregate: src_host,dst_host
 nfacctd_port: 9787
 plugins: mysql
 sql_optimize_clauses: true
 sql_table_schema: /root/conf/dbs-dat.schema
 sql_refresh_time: 60
 sql_history: 1d
 sql_history_roundoff: d
 sql_db: accounting
 sql_table: tkue_%Y_%m_%d
 sql_host: X
 sql_passwd: Y
 sql_user: Z
 
 Also the netflow-config on the cisco box:
 ip flow-cache entries 52
 ip flow-cache timeout active 1
 mls netflow interface
 mls flow ip interface-full
 mls nde sender version 5
 ip flow-export version 5
 ip flow-export destination 172.16.80.10
 
 Maybe somebody on the list can give me a hint if there are any options
 to optimize or if there is any bottleneck i did not think about - any
 help is appreciated.
 
 Thanks,
 Chris


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] MySQL connection issues

[Paolo Lucente]

Hi Jeremy,

On Mon, Oct 05, 2009 at 01:14:46PM +1000, Jeremy Lee wrote:

 I'm now discovering that there's often a huge time lag before the data
 goes into the database, ranging from a few minutes to up to an hour. I've
 got debug going, 20 seconds between SQL refreshes, and I get several:

Quoting only introduction to the issue for the sake of brevity; you
got the reason why you get nothing for minutes, then suddenly it's all
there: buffering. Perhaps try with incremental steps if you not have
already done that - instead of jumping from 1024 to 10240. Get the
trade-off which better suits your scenario. 

Overall, what peak Mbps is this installation about? Any pps figure?
What i'm trying to figure is why by using buffers of 1K you loose data.
Any chance there is a concurrent process leaking full CPU cycles for a
substantial amount of time which doesn't allow the daemon to cope with
peaks of traffic?

On the persistency of the database connection; i'm open to discussion
and comments on this. I also see it would apply just fine to you. But
let me say some forewords:

* pmacct comes from a persistent connection implementation (many years
  ago); this was dropped because too fragile when adopted as a general
  purpose solution. Hence migrating to a more stateless approach. This
  was for a mix of reasons, mainly: a) some conditions hard to detect:
  server was shut down not properly, firewall, NAT or load-balancers in
  the middle timing out the session or restarting, etc. b) communications
  with the database server always passing through 3rd party APIs; this
  easily translates in not having full control on things.

* Adding a clean option in this sense might require quite some work to
  make it generally applicable, ie. not speaking about a quick fix but
  something which has to be ported (and tested working fine) across the
  multiple database software supported by pmacct.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Traffic count only for certain networks

[Paolo Lucente]

Hi Slava,

On Tue, Sep 22, 2009 at 11:42:37PM +0300, Slava Dubrovskiy wrote:

 I wish to count only traffic from/to local IP. I.e. that in base were
 only my local IP.
 For this purpose I specify my local IP in networks_file and I aggregate
 by src_host, dst_host.
 
 I don't wish to store not local IP since then the base will be very big.
 
 Thus there are some networks (ua-list.txt) the traffic with which I need
 to count separately.
 So I make:
 
 aggregate[hourly]: src_host, dst_host
 aggregate[hourly_ua]: src_host, dst_host
 aggregate_filter[hourly_ua]: net 173.194.0.0/24 188.163.0.0/24
 193.0.227.0/24
 plugins: mysql[hourly], mysql[hourly_ua]
 sql_table[hourly]: acct_base
 sql_table[hourly_ua]: acct_base_ua
 networks_file: /etc/pmacct/networks.list
 
 But how can I separate traffic from/to UA-IX?
 I can use aggregate_filter for this.  And it work fine.
 
 But networks list is very big :( And I can't add full list to
 aggregate_filter.

OK: accounting for local IP addresses traffic and UA-IX networks
is two different things - no traffic matrix required. Hence, i
would propose you to change your config as follows:

aggregate[hourly]: src_host, dst_host
aggregate[hourly_ua]: src_host, dst_host
plugins: mysql[hourly], mysql[hourly_ua]
sql_table[hourly]: acct_base
sql_table[hourly_ua]: acct_base_ua
networks_file[hourly]: /etc/pmacct/networks-local.list
networks_file[hourly_ua]: /etc/pmacct/networks-ua-ix.list

The effect will be that the hourly_ua plugin will give you
a breakdown of the traffic at the UA-IX, plus you will find a
catch all entry every hour, ie. ip_src = 0, ip_dst = 0,
which is the hourly sum of all the traffic between your local
IP addresses and networks besides UA-IX.

I did explain advantages of usin a networks_file rather than an
aggregate_filter in this scenario in a previous email (reloadable
at runtime and more efficient on long list of IP). Makes sense?

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] reloading config accuracy

[Paolo Lucente]

Hi Tony,

On Sun, Sep 20, 2009 at 06:03:18PM -0700, Tony wrote:

 I haven't upgraded yet, I will be doing that now, but I wanted to give you 
 some feedback on what I'm seeing in the old version and we can see if it 
 persists to the new version.

 [ ... ]
 
 10306644  10306462182 0.00177%
 83631880  83631698182 0.00022%
 1016473   1016265 208 0.02047%
 3318523   3318341 182 0.00548%
 48220490  48220308182 0.00038%
 
 I just thought I'd alert you to the above and see if the changes you have 
 committed make a difference. Hopefully I will be able to report back again in 
 a few days.

To confirm you that that behaviour was precisely target of a
bugfix which was issued a few weeks ago to the CVS and now is
already part of 0.12.0rc2 release. Let me know how it goes
after the upgrade.

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Format of storage IP addresses in database.

[Paolo Lucente]

Hi Slava,

On Wed, Sep 09, 2009 at 09:38:03PM +0300, Slava Dubrovskiy wrote:

 Why for store IP it is used CHAR type?
 
 It's better use INT UNSIGNED  and use INET_ATON() and INET_NTOA() for
 convert.
 http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_inet-aton

This is correct observation. The topic did already get some
(although minor) attention in the past and as a result some
patches were produced (for releases 0.7.9 and 0.10.x; i can
find them again and point them to you); they never managed
to get merged into mainstream due to requiring major coding
for a clean job and in contrast lack of general interest.

My impression is that using INTs instead of CHARs has overall
more consistent cons than pros. Pros: it saves space and allows
for more efficient range lookups avoiding LIKEs (but, in turn,
if one needs that, the *_net primitives are readily available
in pmacct). Cons: it doesn't look like there is any support for
IPv6, data conversion does not come for free: has performance
impact on each INSERT and UPDATE query which need instead to be
processed as fast as possible and some SELECTs (ie. SELECT
INET_NTOA(ip_src) ...).

Two extra considerations: a) if one has a particular eye for
this, probably the best choice is to consider using PostgreSQL
rather than MySQL as it features the 'inet' (IPv4, IPv6) and
'macaddr' data types: IHMO, they did a true clean job with it;
b) the real performance loss heppans when using variable CHAR
fields - but this is never the case with pmacct; static length
CHAR fields might be slightly less efficient in terms of size
than INTs but, you know, overall it has never got that bad to
justify going a different way.

Indeed i'm open to discussion.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Traffic count only for certain networks

[Paolo Lucente]

Hi Slava,

On Thu, Sep 10, 2009 at 02:24:22PM +0300, Slava Dubrovskiy wrote:

 [ ... ]

 It is necessary to count the traffic with filtering on certain networks.
 For this purpose I need write ALL this networks to aggregate_filter.
 But this list of networks is big and it periodically varies.
 I cannot specify in aggregate_filter a file with the list of networks.
 
 How it can be made?

It looks like to be a task for networks_file - which is also
reloadable at runtime. I see you are already using it in your
config, is it not producing the expected results (ie. local
networks accounted for, all the rest zeroed)? 

For long, long lists of IPv4/IPv6 prefixes this might get
also preferrable from a pure performance point of view given
that aggregate_filter employs a BPF filter which would check
elements one-by-one, in the order you inserted them, until a
match is found whereas the networks_file employs a merge-sort
algorithm. 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] not build (was pmacct 0.12.0rc2 released !)

[Paolo Lucente]

Hi Slava,

Don't know precisely where the problem lies but i've tried the
same on a Linux and a Solaris box and it works no problems:

[pa...@linone ~]$ tar xfz pmacct-0.12.0rc2.tar.gz
[pa...@linone ~]$ cd pmacct-0.12.0rc2
[pa...@linone pmacct-0.12.0rc2]$ ./configure --build=i586-alt-linux 
--host=i586-alt-linux --prefix=/usr 
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc 
--datadir=/usr/share 
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib 
--localstatedir=/var/lib --sharedstatedir=/usr/com 
--mandir=/usr/share/man --infodir=/usr/share/info --disable-dependency-tracking 
--without-included-gettext 
--with-pgsql-includes=/usr/include/pgsql --enable-64bit --enable-threads 
--enable-mysql --disable-pgsql 
--disable-sqlite3

[ ... ]

updating cache ./config.cache
creating ./config.status
creating Makefile
creating src/Makefile
creating src/nfprobe_plugin/Makefile
creating src/sfprobe_plugin/Makefile
creating src/bgp/Makefile
[pao...@linone pmacct-0.12.0rc2]$ make

[ ... ]

And then compiles fine. Anybody else reading able to report
issue while configuring for compilation? Or can you give it
another try?

Cheers,
Paolo


On Wed, Sep 09, 2009 at 10:41:39PM +0300, Slava Dubrovskiy wrote:
 09.09.2009 20:00, Paolo Lucente ??:
  VERSION.
  0.12.0rc2

 it not build.

 [ ... ]
 
 rc1 is building without problems.
 Do you have any advices?
 
 -- 
 WBR,
 Dubrovskiy Vyacheslav




___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] reloading config accuracy

[Paolo Lucente]

Hi Tony,

On Sat, Sep 05, 2009 at 09:01:01PM -0700, Tony wrote:

 I have tested the above suggested configuration and it is working. There is 
 data going into the SQL table now! I am going to let it run in parallel with 
 the unadjusted data (which is going into another table) and then compare the 
 two of them and also compare to the stats being reported by the packeteer.

I've just managed to commit to the CVS repository some
code to remove a dependency between actions and checks
in the sql_preprocess layer (so that you can roll-back
to your original config, which did make sense). I also
went through an overall review of the feature - which
resulted in a couple of fixes (one right to the 'adjb'
section) and some cleanups. 

Hence I would highly invite you to make your assessment
against the version currently in the CVS or alternatively
wait until the rc2 release is out, later in the week.

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] nfacctd_renormalize and sql_preprocess: usrf=10 not working

[Paolo Lucente]

Hi Slava,

On Fri, Sep 04, 2009 at 10:10:46PM +0300, Slava Dubrovskiy wrote:

 I trying use nfacctd_renormalize option and use sql_preprocess: usrf=10

[ ... ]

 And after as I add sql_preprocess: usrf=10 it stop write to database.
 If I comment sql_preprocess: usrf=10 - working, but not renormalize traffic.
 
 What is wrong? Is it necessary set sql_preprocess: usrf=10 or
 nfacctd_renormalize: true enough?

Part of this topic (what is not making the usrf=10 working) was
touched in the email i've just sent out, please give it a look.
In short: usrf is defined as an action: you need to prepend to
it a check, even a dummy one which can be passed by every entry
on the queue (ie. minp=1). Give it a try.

With regards to renormalization and which way to go, it depends
on which NetFlow version you are using. pmacct supports natively
only renormalization of NetFlow v5 flows (it means you can set
the 'nfacctd_renormalize: true' and that's it). Whereas NetFlow
v9 sampling is not natively supported (yet): hence you are forced
to go the sql_preprocess (= static) way by explicitely defining
the sampling rate by which flows have to be renormalized (and
remember to change this parameter at the collector whenever you
change it at the exporting devices). 

Cheers,
Paolo



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] timestamp rounding bug

[Paolo Lucente]

Hi,

I've just committed into the CVS some code to slightly facilitate life
of who uses pmacct on systems which automagically get the clock changed
as effect of DST (Daylight Saving Time). 

Shifts forward are handled smoothly: they are timely recognized and
as a result the current time-bin (sql_history) and SQL cache scanner
deadline (sql_refresh_time) are adjusted by catching up the time
difference; an if (now  X) then X += Y was modified in a while
(now  X) then X += Y.

Shifts backward were not a reason of prime concern (essentially as
they get solved transparently); for the way DST works, it means
having a day of 25 hours, with one hour repeated twice: whichever
way these backward shifts are handled, they would still generate
spourious results and hence i felt to not act on them - but as
usual comments are welcome.

As of now, what would happen is a 02:00AM entry accounting for the
real time bin (say, 5mins, 1hr basing on the sql_history config)
plus the full extra hour. The tricky alternative would be to bring
the clock back and having the time-bins between 01:00AM to 02:00AM 
polluted with double data. Caveat for this approach being: it would
not work whenever sql_dont_try_update is enabled - as it would just
generate lots of duplicates.

I've lab-tested the shifts forward working (for me); any additional
testing from you is more than welcome. 

Cheers,
Paolo


On Mon, Aug 03, 2009 at 10:12:30AM +0300, alex wrote:
   Hello Paolo,
   Could you please tell about current state of this question.
 
   Alex
 
 On 04/19/2009 01:00:48 PM, Paolo Lucente wrote:
 Hi Alex,
 
 DST is not supported. Timezones are. The idea behind this was that a
 backend application (like pmacct is) should ideally work only with UTC
 (even if timezones are supported) and then front-ends should localize
 the time as required.
 
 I don't understand where the conversion to local time is happening
 regarding this problem, but what makes sense to me is to collect
 timestamps in UTC, store them in UTC when storing them in a database,
 and let whatever's pulling the data out of the db present the data
 to the user in whatever fashion makes sense.  Any other approach,
 i.e. working in local time or DST, makes working across time zones
 difficult, and computing intervals (in the case of DST) impossible.
 (Because when you look at a time during the hour when DST moves
 the clock back you don't know which hour you are in.)
 
 As, it seems, timezones are supported, then those that want
 to struggle with an approach other than the above can already
 do so because timezones account for DST.  I don't know what
 it means to support timezones and not support DST so don't
 know what DST support would mean.  I would think that
 all the support for timezones, DST, and the like is already
 in the localization facilities supplied by the OS and
 that's where it should stay.
 
 Karl k...@meme.com
 
 ---
 ??? ?? ??? - http://pogoda.tut.by

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] pmacctd commands to match cisco ip flow-cache timeout

[Paolo Lucente]

Hi Stig,

That is correct. Align all other available timeouts (tcp, udp and icmp
other than the general one which you already mentioned) to the inactive
value. Active timeout goes definitely mapped to maxlife instead.

Cheers,
Paolo


On Wed, Aug 19, 2009 at 07:59:45PM -0700, Stig Thormodsrud wrote:
 I'm using pmacctd to export netflow v5 and am experimenting with a netflow
 collector that suggests the following cisco flow timeout values:
 
 ip flow-cache timeout active 1
 ip flow-cache timeout inactive 15
 
 I'm trying to figure out which nfprobe_timeout vars are the equivalent.
 Would it be:
 
 nfprobe_timeouts: maxlife=60:general=15
 
 
 thanks,
 
 stig


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] segv with memory,sfprobe plugins

[Paolo Lucente]

Hi Stig,

thanks very much for having reported the issue. This is now solved
in the CVS. I managed to reproduce it.

It was lying in the fact that initialization of the sfprobe plugin
was explicitely disabling the IP fragment handler in pmacctd; this
was causing the IMT plugin, configured with L4 primitives (src_port
for example), to crash because it expects the IP fragment handler
to be there.

The one-liner fix basically avoids sfprobe to turn the IP fragment
handler off in case it was previously turned on (hence you see the
position of the plugins was relevant) as part of operations of a
concurrent plugin.

Cheers,
Paolo


On Mon, Aug 17, 2009 at 08:27:51PM -0700, Stig Thormodsrud wrote:
 I'm getting a segv fault when using the following conf file:
 
 s...@io:~/git/pmacct-0.11.4/src$ cat pm.conf 
 daemonize: false
 debug: true
 promisc: true
 pidfile:   /var/run/pmacctd-eth0.pid
 imt_path:  /tmp/pmacctd-eth0.pipe
 aggregate: src_host,dst_host,proto,src_port,dst_port,tos,flows
 interface: eth0
 !syslog: daemon
 pcap_filter: !ether src 00:15:17:0b:d2:16
 plugins: memory,sfprobe
 sfprobe_agentsubid: 5
 sfprobe_receiver: 172.16.117.25:6343
 
 s...@io:~/git/pmacct-0.11.4/src$ sudo ./pmacctd -f pm.conf 
 INFO ( default/memory ): 131070 bytes are available to address shared
 memory segment; buffer size is 132 bytes.
 INFO ( default/memory ): Trying to allocate a shared memory segment of
 4325244 bytes.
 INFO ( default/sfprobe ): Pipe size obtained: 131070 / 49348.
 OK ( default/core ): link type is: 1
 DEBUG ( default/sfprobe ): Creating sFlow agent.
 INFO ( default/sfprobe ): Exporting flows to [172.16.117.25]:6343
 INFO ( default/sfprobe ): Sampling at: 1/1
 DEBUG ( default/memory ): allocating a new memory segment.
 DEBUG ( default/memory ): allocating a new memory segment.
 OK ( default/memory ): waiting for data on: '/tmp/pmacctd-eth0.pipe'
 DEBUG ( default/memory ): Selecting bucket 16151.
 Segmentation fault
 
 
 In gdb it stops at:
 
 (gdb) run -f pm.conf
 Starting program: /home/stig/git/pmacct-0.11.4/src/pmacctd -f pm.conf
 [Thread debugging using libthread_db enabled]
 INFO ( default/memory ): 131070 bytes are available to address shared
 memory segment; buffer size is 132 bytes.
 INFO ( default/memory ): Trying to allocate a shared memory segment of
 4325244 bytes.
 INFO ( default/sfprobe ): Pipe size obtained: 131070 / 49348.
 DEBUG ( default/memory ): allocating a new memory segment.
 DEBUG ( default/sfprobe ): Creating sFlow agent.
 INFO ( default/sfprobe ): Exporting flows to [172.16.117.25]:6343
 INFO ( default/sfprobe ): Sampling at: 1/1
 DEBUG ( default/memory ): allocating a new memory segment.
 OK ( default/memory ): waiting for data on: '/tmp/collect.pipe'
 OK ( default/core ): link type is: 1
 [New Thread 0xb788fa90 (LWP 23213)]
 
 Program received signal SIGSEGV, Segmentation fault.
 [Switching to Thread 0xb788fa90 (LWP 23213)]
 0x080649f3 in src_port_handler (chptr=0x80c3ce0, pptrs=0xbf90dca8,
 data=0xbf90dc6c) at pkt_handlers.c:353
 (gdb) 
 (gdb) where
 #0  0x080649f3 in src_port_handler (chptr=0x80c3ce0, pptrs=0xbf90dca8,
 data=0xbf90dc6c) at pkt_handlers.c:353
 #1  0x0805d218 in exec_plugins (pptrs=0xbf90dca8) at plugin_hooks.c:219
 #2  0x08059b72 in pcap_cb (user=0xbf90de8c \031\, pkthdr=0xbf90dd88,
 buf=0x883d1ba ) at pmacctd.c:665
 #3  0xb7ebbd45 in ?? () from /usr/lib/libpcap.so.0.8
 #4  0xbf90de8c in ?? ()
 #5  0xbf90dd88 in ?? ()
 #6  0x0883d1ba in ?? ()
 #7  0x0020 in ?? ()
 #8  0xbf90dd74 in ?? ()
 #9  0xbf90dd98 in ?? ()
 #10 0x in ?? ()
 (gdb) 
 (gdb) p *pptrs
 $1 = {pkthdr = 0xbf90dd88, f_agent = 0xb7e52219 SMP, f_header = 0x0,
 f_data = 0x1 Address 0x1 out of bounds, f_tpl = 0x0, f_status = 0x1
 Address 0x1 out of bounds, idtable = 0x0, bpas_table = 0x756e694c
 Address 0x756e694c out of bounds, bta_table = 0xbf90e09c \220\223,
 packet_ptr = 0x883d1ba , mac_ptr = 0x883d1ba , l3_proto = 2048,
 l3_handler = 0x8059c77 ip_handler, l4_proto = 6, tag = 0, bpas = 0, bta
 = 0, bgp_src = 0xb78900f0 \003\210\020ii\r, bgp_dst = 0x1 Address 0x1
 out of bounds, bgp_peer = 0x1 Address 0x1 out of bounds, pf = 0,
 new_flow = 0 '\0', tcp_flags = 0 '\0', vlan_ptr = 0x0, mpls_ptr = 0x0,
 iph_ptr = 0x883d1c8 E, tlh_ptr = 0x29370 Address 0x29370 out of
 bounds, payload_ptr = 0x0, class = 0, cst = {tentatives = 20 '\024',
 stamp = {tv_sec = 0, tv_usec = 0}, ba = 3213942184, pa = 25312, fa = 240
 ''}, shadow = 0 '\0', tag_dist = 1 '\001'}
 (gdb) 
 
 void src_port_handler(struct channels_list_entry *chptr, struct
 packet_ptrs *pptrs, char **data)
 {
   struct pkt_data *pdata = (struct pkt_data *) *data;
 
   if (pptrs-l4_proto == IPPROTO_UDP || pptrs-l4_proto == IPPROTO_TCP)
 pdata-primitives.src_port = ntohs(((struct my_tlhdr *)
 pptrs-tlh_ptr)-src_port);
   else pdata-primitives.src_port = 0;
 }
 
 
 Seems like the problem is dereferencing pptrs-tlh_ptr in
 src_port_handler().  If I reverse the plugins to sfprobe,memory or
 remove the memory plugin, the it works.   Could the 

Re: [pmacct-discussion] Bug in pmacct-0.12.0rc1?

[Paolo Lucente]

Hi Johannes,

To get more verbosity you have to disable the sql_multi_values feature;
that's what causing the rather compact and un-helpful output. Would that
be an option for you? Also, was wondering: any chance the 0.0.0.0 bit
bucket entry is collecting  4GB traffic in 5 minutes time? In such a
case, the solution is to go with 64-bit counters. Let me know.

Cheers,
Paolo

PS: very verbose outputs are very much welcome but go in private email
(perhaps compressed) :-)


On Thu, Aug 06, 2009 at 07:33:57PM +0200, Johannes Formann wrote:
 Paolo Lucente pa...@pmacct.net wrote:
 
 Hi Paolo,
 
  If it's not something in this sense, i would ask you to turn
  on debugging on one of the two plugins (debug[inbound]: true
  for example) and check what SQL queries are causing such
  duplication. If it's not too much sensible data, you can
  let me have a look aswell at the debug log by sending it
  privately.
 
 I'd turn up debug, ca I make ist more verbose, I'll think this is not so 
 helping:
 
 Aug  6 17:21:53 traffic pmacctd[19363]: INFO ( default/core ): Start logging 
 ...
 Aug  6 17:21:53 traffic pmacctd[19363]: INFO ( inbound/mysql ): Pipe size 
 obtained: 110592 / 4000.
 Aug  6 17:21:53 traffic pmacctd[19365]: DEBUG ( /etc/pmacct/networks ): 
 (networks table IPv4) AS: 0, net: 5426, mask: 
 Aug  6 17:21:53 traffic pmacctd[19365]: DEBUG ( /etc/pmacct/networks ): 
 (networks table IPv4) AS: 0, net: c32a7200, mask: ff00
 Aug  6 17:21:53 traffic pmacctd[19365]: DEBUG ( /etc/pmacct/networks ): 
 (networks table IPv4) AS: 0, net: c32a7300, mask: ff00
 Aug  6 17:21:53 traffic pmacctd[19365]: DEBUG ( /etc/pmacct/networks ): IPv4 
 Networks Cache successfully created: 1 entries.
 Aug  6 17:21:53 traffic pmacctd[19365]: DEBUG ( /etc/pmacct/networks ): 
 (networks table IPv6) AS: 0, net: 0:0:0:0, mask: 0:0:0:0
 Aug  6 17:21:53 traffic pmacctd[19365]: DEBUG ( /etc/pmacct/networks ): IPv6 
 Networks Cache successfully created: 32771 entries.
 Aug  6 17:21:53 traffic pmacctd[19363]: OK ( default/core ): link type is: 1
 Aug  6 17:25:06 traffic pmacctd[19372]: ( inbound/mysql ) *** Purging cache - 
 START ***
 Aug  6 17:25:06 traffic pmacctd[19372]: DEBUG ( inbound/mysql ): 1933 VALUES 
 statements sent to the MySQL server.
 Aug  6 17:25:06 traffic pmacctd[19372]: ( inbound/mysql ) *** Purging cache - 
 END (QN: 1934, ET: 0) ***
 Aug  6 17:30:06 traffic pmacctd[19800]: ( inbound/mysql ) *** Purging cache - 
 START ***
 Aug  6 17:30:06 traffic pmacctd[19800]: DEBUG ( inbound/mysql ): 1976 VALUES 
 statements sent to the MySQL server.
 Aug  6 17:30:06 traffic pmacctd[19800]: ERROR ( inbound/mysql ): Duplicate 
 entry '2009-08-06 17:25:00-0.0.0.0' for key 1#012
 Aug  6 17:30:06 traffic pmacctd[19800]: ( inbound/mysql ) *** Purging cache - 
 END (QN: 1977, ET: 0) ***
 Aug  6 17:30:11 traffic pmacctd[19801]: ERROR ( outbound/mysql ): Duplicate 
 entry '2009-08-06 17:25:00-0.0.0.0' for key 1#012
 
 
 greetings
 
 Johannes

___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] Bug in pmacct-0.12.0rc1?

[Paolo Lucente]

Hi Johannes,

The only idea coming to the mind is that two pmacctd instances
(each with two plugins) are fired up in parallel and trying to
write to the same MySQL tables. 

If it's not something in this sense, i would ask you to turn
on debugging on one of the two plugins (debug[inbound]: true
for example) and check what SQL queries are causing such
duplication. If it's not too much sensible data, you can
let me have a look aswell at the debug log by sending it
privately.

I assume this an upgrade of a working installation?

Let me know.

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] timestamp rounding bug

[Paolo Lucente]

On Tue, Aug 04, 2009 at 09:18:22PM -0500, Karl O. Pinc wrote:
 On 08/04/2009 04:35:31 AM, Chris Wilson wrote:
 
  Is any real-world system set to UTC? I'm certainly not going to run 
  my
  
  firewall (where I run pmacct currently) on UTC. All my logs would be 
  screwed up and much harder to interpret.
 
 Setting the system clock to UTC is traditional in Unix, AFAIK.
 The obvious reason being that it makes it easy to compare
 times across systems.  It's up to the logging application 
 to decide whether to output UTC, localtime without time 
 zones, localtime with time zones etc.  Likewise other
 programs that produce times for human consumption.
 
 The Internet (e.g. rfc2822 and, iirc, rfc5424) tends
 to solve the human consumption problem by logging in localtime but
 including an offset from utc in the timestamp.

Chiming briefly into this to add to the thread that is common to
have systems set on UTC even in large networks that span across
multiple timezones and having local times wouldn't help the NOC
at all (given that pretty much all works on UTC, ie. maintenance
announcements). 

Cheers,
Paolo


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] multiple interfaces uni-directional flows

[Paolo Lucente]

Hi Stig,

Very briefly to confirm: a) you are correct, libpcap captures
both inbound and outbound traffic and b) the workaround you
have put in place not only makes sense but is also by far the
most efficient way to filter traffic out of pmacctd.

Cheers,
Paolo


On Tue, Aug 04, 2009 at 10:39:00AM -0700, Stig Thormodsrud wrote:
 I notice with multiple interfaces that I get duplicate flows.  If I recall
 correctly a cisco router does netflow only on input while it seems pcap
 captures both inbound  outbound packets.  My work around to filter out
 the output flows was to use a pcap_filter such as:
 
 !
 daemonize: true
 promisc:   false
 pidfile:   /var/run/pmacctd-eth0.pid
 imt_path:  /tmp/pmacctd-eth0.pipe
 plugins: nfprobe, memory
 aggregate: src_host,dst_host,src_port,dst_port,proto,tos,flows,tag
 interface: eth0
 syslog: daemon
 ! filter out packets with the mac address of eth0
 pcap_filter: !ether src 00:0c:29:8c:53:7c
 nfprobe_receiver: 172.16.117.25:2100
 nfprobe_version: 5
 nfprobe_engine: 1:2
 post_tag: 2
 
 
 Is this the approach others are using with multiple interfaces or is there
 a better way?
 
 Thanks,
 
 stig


___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] dynamic sql tables not created

[Paolo Lucente]

Hi Christian,

I'm not sure how a change to the frontend can influence that
way the backend. Two things to check: 'sql_history' is in use
(as it generates the timestamp used at a later stage to work
out the name of the dynamic table) and sql_table_schema file
is readable.

Moreover, something related to dynamic SQL tables was fixed in
just released 0.12.0rc1 version - and it's been in the CVS for
quite a while. If you are not using either of these versions,
another chance is to upgrade and see if this solves the issue.

Otherwise we may have to dig deeper into it. Let me know.

Cheers,
Paolo


On Mon, Aug 03, 2009 at 11:51:13AM +0200, christian wrote:
 
 hello world,
 
 since i have changed my 'frontend' to slack64 on a e5520, pmacctd doesn't 
 create weekly tables any more on my 'backend' server.
 
 it seems it doesn't even try..
 
 when i create them manually, they get populated.
 
 a typical sunday/monday switch looks like this:
 
 __cut__
 Aug  3 00:00:04 ns pmacctd[7614]: ERROR ( default/mysql ): PRIMARY 'mysql' 
 backend trouble.
 Aug  3 00:00:04 ns pmacctd[7614]: ERROR ( default/mysql ): The SQL server 
 says: Table 'pmacct.acct_ppp0_200931' doesn't exist
 __cut__
 
 no other error messages.
 
 i definitely *can* create these tables when doing `mysql` on the same 
 machine as user pmacct (just tested)...
 
 what am i possibly doing wrong, and how could i find or fix it?
 
 
 thanks for reading!
 
 regards,
 christian



___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists