Hello Dave,
can you tell me on which version did you notice this behaviour ? Which OS
are you running pmacct ? Did you notice any specific relation between the
caught and missed traffic ? For example you are missing just incoming traffic,
etc. Said this all, I've never caught in such a behaviour
Hello Dave,
with the details in my hands, i've actually no idea. Can you do some simple
file transfer of some rather large file and check counters after it has
completed ? This should point out what counter increases the correct way.
A 40-50Mb transfer should suffice. One note: because the
Hello guys,
i'm about to release the first paper about pmacct. It will be linked
on the pmacct homepage in next couple of days (very final refinements
in act), though i'm actually not considering its publication.
If anyone wishes to give it a look, any comment, suggestion, idea and
correction is
VERSION.
0.8.2
DESCRIPTION.
pmacct is a small set of tools to account and aggregate IPv4 and IPv6
traffic; aggregation revolves around the key concept of primitives (VLAN
id, source and destination MAC addresses, hosts, networks, AS numbers,
ports, IP protocol and ToS/DSCP field are supported)
Hello Tobias,
On Mon, Mar 21, 2005 at 11:59:28AM +0100, Tobias Bengtsson wrote:
I don't use any sql right now,
Wops. I was assuming so :) The memory case, yes, some tweakings are
needed:
1) imt_plugin.h - struct acc definition - bytes_counter should be
modified to 'u_int64_t'.
2)
Hello Steve,
On Tue, Mar 29, 2005 at 05:29:03PM +0100, Steve Wright wrote:
Running pmacct-0.8.2, nfacctd to MySQL my ip_proto field I see a large GRE
(ESP) flow [1] being reported as ipv6-c in the table.
[1] sh ip cache flow displays:
Gi0/0 xxx.xxx.xxx.209 Gi0/1
Hello Bruno,
i've been able to verify the issue you've signalled taking the bare
'ports.lst.example'. It's an ugly bug that makes pmacct not deal very
much with comments (the one on the second line, for example) only in
the 'ports' file. Just deleting the second line makes it work without
VERSION.
0.8.6
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to measure,
account and aggregate IPv4 and IPv6 traffic; aggregation revolves around
the key concept of primitives (VLAN id, source and destination MAC
addresses, hosts, networks, ports, AS numbers, IP
Hey Andre,
On Mon, May 23, 2005 at 02:53:45PM +0200, Andre Berger wrote:
I also added -I/usr/local/include/openssl to CFLAGS manually, with
no better result.
To my eyes it seems a linking problem not an header inclusion one.
Try adding to the CFLAGS a '-lssl -L/usr/local/lib' (here i'm just
VERSION.
20050531
DESCRIPTION.
pmacct is a set of network tools to gather, filter and tag IP traffic;
it is able to store collected data either into a DB or a memory table.
We see any monitoring, billing or accounting environment as a stack
where data are picked from the network, get processed
Hey Daniel,
On Mon, Jun 13, 2005 at 12:25:43AM +0200, Daniel Streicher wrote:
I am using source tarball, should I try to use the .deb package?
I don't think things could change. However, about the access to the
box. Let me know the answer. I should be able to have access to a
Fedora 3 Opteron
Hello Daniel,
On Mon, Jun 13, 2005 at 05:38:50PM +0200, Daniel Streicher wrote:
Ok there seems to be one small error in nfacctd:
nfacctd logging MAC Addresses always as
SRC MACDST MAC
00:00:00:00:00:00 00:00:00:00:00:00.
pmacctd logging MAC Addresses always as
SRC MAC
Hello Chris,
On Mon, Aug 08, 2005 at 05:27:10PM -0700, Chris Timmons wrote:
# pmacctd -f pmacct.conf
WARN ( pmacct.conf ): ignoring unknown aggregation method: src_mac.
I'm unable to verify this behaviour over a freshly compiled 0.9.0; do you
think there is any chance that you have configured
On Sat, Aug 13, 2005 at 02:14:00AM +1000, Jamie Wilkinson wrote:
Ok. Does this mean that unless the config options 'sql_history' and
'sql_history_roundoff' exist, then pmacctd will not write time stamps to the
database?
yes.
I've done so, but I've also added these two config options back
Hello Jamie,
On Tue, Aug 16, 2005 at 05:07:33PM +1000, Jamie Wilkinson wrote:
Actually, I'm still not clear: the FAQ suggests that only sql_history is
required, though sql_history_roundoff is advised. Is that true?
True. sql_history writes the stamp fields; sql_history_roundoff enables the
VERSION.
0.9.1
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to measure,
account and aggregate IPv4 and IPv6 traffic; aggregation revolves around
the key concept of primitives (VLAN id, source and destination MAC
addresses, hosts, networks, ports, AS numbers, IP protocol
Hey Jamie,
On Thu, Aug 18, 2005 at 01:03:09PM +1000, Jamie Wilkinson wrote:
pidfile: /var/run/pmacctd.test.pid
debug: true
aggregate: src_host,dst_host
networks_file: /etc/pmacct/networks
pcap_filter: vlan and ( net 202.4.224.0/20 or net 203.98.86/24 ) and not
((src net 202.4.224.0/20 or
Hello Christian,
first of all, thank you for giving a try to pmacct. Secondly, pmacct does
not do any 95th percentile itself but, as the ChangeLog mentions, it eases
its computation. The ChangeLog speaks about the 'sql_history' directive
and applies to the SQL plugins. So, let's start with this
Hello Ilya,
my first hint is to remove the 'sql_host: localhost' line; it avoids the
connection through the usual '/tmp/mysql.sock' pipe file and makes pmacct
to establish the TCP connection to 'localhost:3306'. If you really need
this, try rewriting it as 'sql_host: 127.0.0.1'.
Next, check that
Hello Nitzan,
On Mon, Dec 05, 2005 at 07:51:46PM +0200, Nitzan Tzelniker wrote:
1. flow-nfilter has configuration file where you define filter
primitive and filter definition and then in flow-report you only call
the filter definition and don't need to specify the all filter over
and over.
VERSION.
0.9.5
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to measure,
account and aggregate IPv4 and IPv6 traffic; aggregation revolves around
the key concept of primitives (VLAN id, source and destination MAC
addresses, hosts, networks, ports, AS numbers, IP
Hey Inge,
let me thank you for your very detailed email about the AS numbers MySQL issue
which has allowed me to quickly work on the code.
There isn't any specific reason behind the choice of unquoted AS numbers; it is
definitely the right behaviour for PostgreSQL in typed data mode but wrong
Hey Ilya,
On Mon, Dec 12, 2005 at 07:55:42PM +0300, Molokanov Ilya wrote:
Database changed
mysql show tables;
+---+
| Tables_in_nfacctd |
+---+
| nfacctd |
+---+
1 row in set (0.00 sec)
[ ... ]
sql_table: acct
What i did
Hi Simone,
check that everything works correctly by trying to connect to the
remove MySQL server via the mysql client tool:
shell mysql -u pmacct -h 192.168.11.14 -p
Are you able to connect to the server ? This should clear whether
there is any connection filtering or permission-related
Hello David,
i've tested your configuration against a MySQL 4.1 server and it seems
to work just fine to my eyes. The password you specified is 'pmacct'
which is not the default one - 'arealsmartpwd'. The SQL table creation
script uses such password by default.
Did you change it in the script
Hello Inge,
aggregate_filter can match any packet/flow primitives with the exception of
IDs. This task is accomplished by pre_tag_filter . I'm just figuring out that
there aren't examples for such directive around. However, it's use is pretty
simple:
pre_tag_filter: IDx [, IDy] [, IDz]
Cheers,
VERSION.
0.10.0rc1
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to measure, account,
classify and aggregate IPv4 and IPv6 traffic; a pluggable and flexible
architecture
allows to store the collected traffic data into memory tables or SQL (MySQL,
SQLite,
PostgreSQL)
Hello Ivan,
On Mon, Feb 06, 2006 at 05:01:44PM +, Ivan A. Beveridge wrote:
This is my current logfile:
=
daemonize: true
pidfile: /var/run/sfacctd.pid
sfacctd_port: 6500
sfacctd_ip: 127.0.0.1
plugins: memory[fdrypeer]
aggregate[fdrypeer]: src_mac,
Hello Ivan (and all),
i've just made available for download a fresh tarball (as usual, it
is a pre-release so pretty no updates to the documentation and, if
you decide to give it a try, upgrade as soon as the final release
is out):
Hey Ivan,
On Sat, Feb 11, 2006 at 11:19:39AM +, Ivan A. Beveridge wrote:
Can I do this by creating a corefile aswell (and then do a backtrace on
the corefile)? This is what I've done before, but those programs/daemons
didn't have separately-running 'modules' (like the memory module).
Hello Ivan,
On Mon, Feb 13, 2006 at 02:01:40PM +, Ivan A. Beveridge wrote:
Hrmph - that was useless. Any reason why I'd not be seeing anything
useful in the trace? I thought it only looked like that if the binary
was stripped :( I compiled with '-g':
Fully agree with you. I've just got a
Hello Prakash,
can i ask you to verify that flow-send is actually filling the src_as/dst_as
fields of the NetFlow packets ? If this is the case, can you please send me
privately a chunk of your savefile as i can replay it and investigate the
trouble ?
Howvever, I see in your configuration you use
Hey Ivan and Prakash,
On Wed, Mar 01, 2006 at 11:02:34AM +, Ivan A. Beveridge wrote:
To the best of my knowledge (I'm pretty certain) netflow is layer3+ so
will never show layer2 (eg MAC addresses). MAC addresses are shown in
sflow (picked up by sfacctd), and probably also picked up by
Hey Jamie,
thank you very much for the patch, it makes sense to me. And i've just committed
it in mainstream code. However, taking apart the concurrent access, do we have a
way to measure the speed of things ? I suspect EXPLAIN is not our friend here
(ie.
to measure speed of transactions rather
Hey Ivan,
On Fri, Mar 10, 2006 at 02:23:42AM +, Ivan A. Beveridge wrote:
I try the -D in either place and it makes no difference (as expected):
/usr/local/sbin/sfacctd -f /path/to/config/file -D
/usr/local/sbin/sfacctd -D -f /path/to/config/file
This is bizarre ... I could have sworn
Hey Jamie,
that's a good news ! Thank you for the great work.
Cheers,
Paolo
Hey Sven,
digging through the SQL scripts i've just noticed something bad: primary
keys of default PostgreSQL tables v2-v5 are just missing the 'vlan' field
(while it correctly appears in equivalent MySQL/SQLite 3.x schemas).
This may explain the slowness. To verify this, can you please modify the
Hi Ben,
so, port refers to TCP/UDP port. Ok. About the tutorial per-se, graphing
port data rather than network data requires a) intercepting occurrences of
src|dst_net in the document and b) replacing them with src|dst_port.
Now, if you need just a per-port breakdown it's feaasible: generating
Hi Peter,
i was wondering whether it's something related with VLANs and the
aggregate_filter directives: traffic seen on tunnel0 is tagged
(and doesn't match the filter -- pcap filter need to match the
vlan layer, ie. vlan and src net ...) while the one on the eth0
isn't (thus, matching it). Do
Hey Sven,
On Fri, Apr 28, 2006 at 02:31:43PM +0200, Sven Anderson wrote:
it seems to be known, that a default MySQL performs a lot better than a
default PostgreSQL. One difference is, that PostgreSQL is doing an COMMIT
Not to open a possible flame, but i fully agree with this view. However,
Hi Sven,
On Wed, May 03, 2006 at 10:51:08AM +0200, Sven Anderson wrote:
But to make sure, that no packets are counted in the wrong bin, the memory
table has to be locked as long as the port list is processed. Otherwise
packets that arrive during processing with, for example, port 80, would
Ciao Sven,
On Wed, May 03, 2006 at 06:55:16PM +0200, Sven Anderson wrote:
Ok, I'm a little bit confused now, so let me resume: There IS a locking,
but only if the -r flag is used. So this race condition cannot appear in
that case. When I'm using -r I don't have to worry, that port 80 packets
Hi Cedric,
On Wed, May 10, 2006 at 10:26:36AM +0200, Cédric Delaunay wrote:
First : which machine should I use ?
I want collect about 9000 flows per minute. (this is a campus network). It
should be nice if I could collect, store data in a sql database and create
graphs on the same computer.
Hey Cedric,
On Fri, May 12, 2006 at 12:19:44PM +0200, Cédric Delaunay wrote:
aggregate[in]: src_host,dst_host
aggregate[out]: src_host,dst_host
I would correct the above few lines in:
aggregate[in]: dst_host
aggregate[out]: src_host
This is very likely to stop the error message you are
Hey Peter,
On Thu, May 11, 2006 at 09:13:09AM +0300, Peter Nixon wrote:
I would love to see an SNMP agent however so that the in memory tables could
be queried remotely via SNMP. This would allow trivial integration with any
number of SNMP graphing tools :-)
That's a good point. Seems like
Hi Cedric,
On Tue, May 16, 2006 at 02:37:46PM +0200, Cédric Delaunay wrote:
I tried a few solutions and understood that I have to use mysql plugin.
I would generalize and say SQL plugin. The winning solution should be
better evaluated after getting preliminar results (ie. on the field).
VERSION.
0.10.2
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to measure,
account, classify and aggregate IPv4 and IPv6 traffic; a pluggable and
flexible architecture allows to store the collected traffic data into
memory tables or SQL (MySQL, SQLite, PostgreSQL)
Hi Antonin,
On Wed, May 17, 2006 at 05:29:07PM +0200, Antonin Kral wrote:
I want to use ipacct for part of our university network monitoring. Is
there any option / way how to get clue about state, when pmacct drops
any packets? Basicaly I need some way to get information, that system is
Hi Peter,
good point (again). pmacct actually lacks of such thing. But it could
be good idea to implement it. The method will need some extra cares in
order to make things work smoothly: a) writes need to be interleaved
in order to avoid one plugin to lock out the other while racing for
the same
Hi Peter,
On Fri, May 19, 2006 at 02:38:37PM +0300, Peter Nixon wrote:
The only question that remains, is how to handle bytes? Ideally I think the
schema should be changed/extended to have an bytesin and bytesout column..
What do you think?
I think that while it would be the best ever
Hi Gregor,
let me briefly summarize your (good!) point: dealing with large networks
- where multiple sensors, dynamic routing, etc. come into play - requires
a kind of spanning-tree method to consolidate collected data.
This is a point on which i'm spending more and more thoughts recently.
While
Hi Karl,
i've never been involved with a bridged interface on my own, so some basic
hints (configuration looks ok to my eyes):
- Having an idea of what pmacct gets and what doesn't, do you see any
relevant compatible/different behaviour spawning on the same interface,
say, tcpdump ? This can
Hi Jon,
the solution lies in Pre-Tagging; then making the plugin to accept the
tags; tags will discriminate data per router; see the fragments below:
nfacctd.conf:
===
...
pre_tag_map: /path/to/pretag.map
aggregate: tag,whatever
...
===
/path/to/pretag.map:
===
id=1000 ip=Router 1
id=1001
Hi Peter,
nfacctd_allow_file and sfacctd_allow_file config directives are aimed
precisely to this. The idea behind them is the same as for hosts.allow.
They are both listed in CONFIG-KEYS.
Cheers,
Paolo
___
pmacct-discussion mailing list
Hi Melitta,
it may depend on the content of the networks.def file. Did you forget
to insert any network in your networks_file ? When either src|sum|dst_net
primitives, if pmacct is unable to determine to which defined network
the actual src|dst host belongs to, then zeroes it. Zeroed addresses
are
Hi Ivan and Peter,
while the idea of integrating a kind of sFlow/NetFlow probe has been
already considered (i remember some thoughts recently exchanged with
Sven Anderson about this), i'm somewhat not fully convinced.
In a first instance it will take time as it's absolutely not trivial;
this has
Hello Dian,
thank you very much for the WC greetings, hehe!
On Mon, Jul 10, 2006 at 11:28:57AM +0200, Dian Baltadzhiev wrote:
now, my question: is there an option, so that i can configure nfacctd to
send src and dst addresses in raw format, i mean as a decimal number and not
in dotted
Hi Jeremy,
giving a look to the ChangeLog, NetFlow v9 support has been introduced in
pmacct 0.8.0. So, you will not be able to collect such flows in earlier
versions, as 0.7.4. Try upgrading to some more fresh version, ie. 0.10.3.
It will work.
Cheers,
Paolo
Hi Gregory,
yes, you can. If using pmacctd you can use classification. Read more about
it in the EXAMPLES document; then, check out whether available classifiers
at l7-filter homepage fit for you.
Cheers,
Paolo
___
pmacct-discussion mailing list
Hi Sven,
On Tue, Jul 18, 2006 at 04:19:45PM +0200, Sven Anderson wrote:
Paolo Lucente, 17.07.2006 22:57:
BTW.: AFAIK Netflow v9 also uses templates to define flows. What happens
so far with a template and the according data, which contain flow keys
that don't exists in the pmacct flow
Hi Gregory,
On Thu, Jul 20, 2006 at 03:16:11PM +0200, Gregory Machin wrote:
But now I need to know the source and destination ip that the, of the
packets with the applied filters ..
How do I do this ..
The usual way. If you actually have your 'aggregation' value set to
'class', then switch
VERSION.
0.11.0rc1
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL)
Hi Nicolas,
how are you actually capturing traffic (ie. libpcap, NetFlow v5, NetFlow v9,
sFlow, etc.) ? Posting your configuration might be of help to solve the your
issue.
BTW, it seems like you have not specified relevant keys in your aggregate
configuration directive (ie. aggregate:
Hi Nicolas,
On Tue, Aug 22, 2006 at 10:01:44AM +0700, Nicolas Fournaux wrote:
aggregate: src_mac,dst_mac,src_host,dst_host,src_port,dst_port
If you use such aggregation, you have to expect many tuples in your
database for the same src_host, dst_host. To get started and keep
your database
Hi Gert,
take the virgin pmacct package. Configure it with the options you are
used to. Don't care of the --enable-debug. Once you get the Makefile
files, get through them and replace the following line:
CFLAGS = -O2
with
CFLAGS = -g
Unless you are not using gcc, it will work. Will disable
Hi Nigel,
On Wed, Aug 23, 2006 at 11:55:17AM +1200, Nigel Roberts wrote:
I changed line 379 of nfprobe_plugin.c to match the call to the same function
in ipv4_to_flowrec and it compiled ok. I'm testing it now.
thank you very much for signalling the bug. Indeed, that was the
correct solution.
Hi Simo,
if the problem is with an high volume of data, i think just switching to
PostgreSQL would not be the ideal solution. At some stage, it will sink
as well. The solution should be in handling meaningfully the data:
- you can partition data. pmacct allows you to partition data basing
over
Hi Chris,
On Wed, Oct 18, 2006 at 07:01:07PM +0100, Chris Wilson wrote:
of memory (due to Apache I think), pmacctd started spawning more threads
to write to the database. I ended up with 73 processes/threads in total,
almost all database writers.
Is this really a good idea? Wouldn't it
Hi Guys,
sorry to join this - interesting, despite Peter's exagerations :-) - thread a
bit late, i'm having some terribly busy days. I want just to put a comment to
the following lines:
On Mon, Nov 13, 2006 at 09:57:09AM +0300, Chris Wilson wrote:
I don't think it's as hard as all that. The OS
Hi Guys,
reviewing quickly the code, seems like there is something not working properly
on the nfacctd side - while on the sfacctd everything is reported to be working
well. I'll fix that in the next release and actually pleas ignore it. Just to
manually double check for any packet loss, when
VERSION.
0.11.2
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL)
Hi Ian,
On Wed, Dec 13, 2006 at 01:43:43PM +1100, IT Officer wrote:
Just today I created another .conf file using the src/dst_net aggregate
and ran another pmacctd instance. When I display the statistics I get
data for 2 networks. One of these is 0.0.0.0. There seems to be a lot of
traffic
Hi Daniel,
Q9 in FAQS should give useful pointers in regards to your question. It
applies to all SQL database backends and all SQL table versions.
Cheers,
Paolo
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
Hi Chris,
On Tue, Dec 19, 2006 at 05:04:07PM +1100, Chris Ricks wrote:
As we use InnoDB tables anyway, I'm working on a patch to make locking
configurable for MySQL (as it currently is for PostgreSQL). Would
anyone else on the list be interested in such a patch?
It would be a nice feature to
Hi Daniel,
yes. pmacct-fe supports just PostgreSQL. And, _YES_: support for MySQL
there would be greatly appreciated! I received a good while of emails
at this propo. Let me know!
Cheers,
Paolo
___
pmacct-discussion mailing list
Hi Valery,
On Mon, Dec 25, 2006 at 12:39:05PM +0200, Valery Kartel wrote:
[ ... ]
=== /etc/pmacct/pretag.map: (1640 lines with all UA-IX networks)
...
id=2filter='net 82.144.192.0/19'
...
id=2filter='net 195.144.25.0/24'
...
[ ... ]
So, some hosts are tagged, but not all
Hi Sebastian,
a couple of things come to my mind - let me know if you have any joy with them:
- Ethereal could be counting packet sizes differently compared to pmacct. pmacct
counts IPv4/6 header's length plus the payload. ie.m L2 and ethernet-related
stuff are excluded. If this is the case,
Hi Inge,
thank you for reporting the problem, good spot. The fix (which is
basically what you propose) has already been committed to the CVS.
Cheers,
Paolo
On Mon, Jan 08, 2007 at 03:00:33PM +0100, Inge Bj?rnvall Arnesen wrote:
/* Need to preprocess data because packet handlers have
Hi Juraj,
that's a very good one: thanks for reporting the issue. I've
slightly refined your quick and dirty patch (which basically
was correctly doing the job but we just need to keep intact
the sa structure). The patch has been committed to the CVS
- would you check it out and let me know
Hi Michael,
On Tue, Jan 09, 2007 at 01:13:13PM +0100, Muenz, Michael wrote:
In networks.server are only ip addresses listed (/32), no
networks. My problem is, that my nfacctd writes content from
this probe to DB with port information (I aggregate only host
on probe) and also, it writes the
Hi Mirko,
if i got your ideas correctly, you might want to go with a config
similar to the following (proposed in the FAQS):
...
aggregate[inbound]: dst_host
aggregate[outbound]: src_host
aggregate_filter[inbound]: dst net 192.168.0.0/16
aggregate_filter[outbound]: src net
Hi Daniel,
MySQL plugin is trying to write to your database but it's unable to
do so. Those DB Writer processes are locked out and are patiently
queuing to get access to the SQL table.
It should mean either something external is currently locking the
table or that the plugin is unable to write
Hi Mirko,
On Wed, Feb 14, 2007 at 08:19:52PM +0100, Mirko wrote:
If i use sum_host with networks.lst containing 192.168.0.0/16, is it
right, that only traffic inside 192.168.x.x will be accounted?
For example
only inside the local network?
192.168.0.1 -- . --
Hi Daniel,
for brevity, as it has been asked before - archives and Google have the
answer. Get a look here:
http://www.mail-archive.com/pmacct-discussion@pmacct.net/msg00660.html
Cheers,
Paolo
On Sun, Mar 04, 2007 at 02:59:44AM +0100, Daniel wrote:
Hi there,
anyone know why i can see
Hi Alan,
On Fri, Mar 16, 2007 at 09:27:34AM -0700, Alan wrote:
I've run tcpdump on both hosts with the filters in it from the pmacct
settings above and the bytes that are caught by tcpdump match properly,
however the values that are written by pmacctd to the respective
databases are
Hi Andrei,
the most immediate suggestion i can give you is to tap either tcpdump
or ethereal on the eth0 and see which traffic the libpcap library is
effectively returning; also, try playing with the 'promisc' directive
(which defaults to true) - as my understanding is that you are sniffing
Hi Andrei,
can you establish any criteria for that doubled traffic, ie. what gets
doubled and what is counted once, inbound vs. outbound, etc.? Moreover,
can you have a look what happens at layer2, any change in src/dst MAC
addresses? That would help but because you told that's bridged traffic
...
Hey Inge,
That's done. The updated version which includes the patch is now in
the CVS. Would you give it a try? Version 0.11.4 should come later
this week.
Cheers,
Paolo
On Mon, Apr 23, 2007 at 04:26:41PM +0200, Inge Bj?rnvall Arnesen wrote:
As no documentation has shown that a sampling_mode
VERSION.
0.11.4
DESCRIPTION.
pmacct is a small set of passive network monitoring tools to
measure, account, classify, aggregate and export IPv4 and IPv6
traffic; a pluggable and flexible architecture allows to store
collected network data into memory tables or SQL (MySQL, SQLite,
PostgreSQL)
Hi Daniel,
Which network device are you getting the sFlow datagrams from?
Any chance i can have a look to these samples? If yes, can you
please post me privately some full-datagrams captured in
libpcap/tcpdump format?
That message is generated inside sfacctd.c source file and says
there is an
Hi Philipp,
i'm glad hearing that! I've stacked your feature request onto my todo
list - that's something definitely useful and that should not slip out
of my mind one of these days. Hope i would be able to include it in the
next release.
Cheers,
Paolo
On Sun, May 06, 2007 at 08:28:51PM +0200,
Ahoy to you, Florian!
a single instance of pmacctd can't be bound to multiple interfaces.
This is common to many of the tools based on libpcap, mainly driven
by performance reasons.
Here you have two options, depending on your requirements (btw, can
you please explain in which scenario do you
Daniel, don't know where you are getting such informations. Can you
please provide any docs supporting what you are saying? Even sFlow,
which intuitively should be the less reliable, can do the job by
playing a bit around the error:
http://www.inmon.com/pdf/sFlowBilling.pdf
NetFlow is then a
Hi,
can you please outline which network device are you exporting your NetFlow
from, which NetFlow version are you actually using and what's roughly the
rate of the exported flows (or NetFlow packets) per second?
Can you please also: a) post your configuration, if using any? b) post the
result
Hi,
by default pmacct uses 32bits packets/flows/bytes counters.
By using the --enable-64bit flag, you make such counters to
be 64bits wide. If a pmacct client is compiled with 64bits
counters, it can't read a memory table with 32bits counters
- and viceversa. Hence, it kicks out that kind of
Hi Raj,
are you getting the executable out - ie. sfacctd? I can't see
anything wrong with the output posted below.
Cheers,
Paolo
On Thu, May 24, 2007 at 08:34:10PM -0400, Murugaraj Suthandiramani wrote:
Hello all ,
Need help.
I am getting the below compilation error when i do a make on
Hi Daniel,
no, the correct information on how to parse each packet is
inferred by looking into each sFlow packet's header. So you
can have mixed sFlow streams collected into a single sfacctd
daemon. The same applies to nfacctd and NetFlow.
Cheers,
Paolo
On Tue, May 29, 2007 at 10:20:38PM +0200,
Hi Daniel,
Q5 of the FAQS document briefly outlines some very basic rules of
thumb regarding bufferization, buffer values and how they should
compare. You can have a try with the following values and eventually
scale them downwards/upwards:
plugin_buffer_size: 10240
plugin_pipe_size: 1024000
Hi Ruben,
thanks for the valuable inputs. I'm trying to reproduce the issue now, having
in mind all your tests. Will come back to you as soon as i'm able to shed any
light on that.
Cheers,
Paolo
On Thu, Jun 14, 2007 at 01:08:07PM +0200, Ruben Laban wrote:
I cheered too early. After letting my
Hi K.L.,
which method are you collecting your traffic (ie. libpcap, NetFlow,
sFlow)? I see your point and i think it could make sense collecting
NetFlow datagrams - and a similar case, ie. each aggregate is written
down to the database independly, is handled by the nfacctd_sql_log
directive.
1 - 100 of 957 matches
Mail list logo