subject:"\[pmacct\-discussion\] netflow packet size"

Re: [pmacct-discussion] netflow packet size

2018-01-18 Thread Paolo Lucente


Hi Steve,

This is because the default maximum size of a NetFlow v9/IPFIX packet is
set to 512 bytes - in order to be reasonably safe wrt MTU and not enter
PMTU stuff. Currently the default value cannot be changed but adding a
config option to do so is very easy. You can check what would happen if
this would be redefined to a higher value by changing this line (and
recompiling the source):

https://github.com/pmacct/pmacct/blob/master/src/nfprobe_plugin/netflow9.c#L195

Keep me posted if you find the above satisfactory and we can certainly
add the knob to modify the value via config. Also, NetFlow v5 export
should not be suffering from this and, given your 'aggregate', switching
to that could be an option too - at least, again, given your current
config.

Paolo

On Wed, Jan 17, 2018 at 09:35:39AM -0500, Stephen Clark wrote:
> Hi Paolo,
> 
> Sorry for sending previous email directly to you - pmacct version is 1.62
> 
> We had been using fprobe to capture netflow data. The packets fprobe emitted
> usually were 1464 bytes.
> 
> When we switched to using pmacct with the config below most of the packets 
> are less
> than 500 bytes. Is there something we can configure to make the packets 
> larger so
> there is less inefficiencies in transmission.
> 
> 
> 
> debug: false
> pidfile: /var/run/pmacctd.pid
> syslog: daemon
> daemonize: true
> interface: eth0
> aggregate: src_host, dst_host, src_port, dst_port, proto, tos
> plugins: nfprobe[eth0]
> !aggregate_filter[eth0]: not host $IP
> !plugin_buffer_size: 10240
> !plugin_pipe_size: 81920
> nfprobe_receiver: 67.109.163.27:2055
> nfprobe_version: 9
> nfprobe_direction[eth0]: in
> nfprobe_ifindex[eth0]: 2
> !pre_tag_map: /etc/pmacct_netwolves/pretag.map
> !nfprobe_timeouts:
> expint=5:general=60:tcp=60:tcp.rst=60:tcp.fin=60:udp=60:maxlife=60
> !
> ! networks_file: /path/to/networks.lst
> ! classifiers: /path/to/classifiers/
> ! snaplen: 1500
> 
> 
> *tcpdump of packets emitted by fprobe:**
> *
> 08:39:24.052173 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:24.062333 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.009242 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.009335 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.009442 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.009525 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.009592 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.009680 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.019814 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 08:39:29.019907 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
> 
> 
> *tcpdump of packets from pmacct:*
> 
> 08:43:22.032873 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368
> 08:43:22.046400 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.050473 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.055756 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.059596 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.063091 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.074011 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
> 08:43:22.079973 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
> 08:43:22.080027 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
> 08:43:22.080079 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
> 08:43:22.080122 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424
> 08:43:22.080236 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424
> 08:43:22.080340 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 292
> 08:43:22.084008 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
> 08:43:22.084070 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.103153 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.106394 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.109548 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.112884 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.118893 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.122268 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.125993 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
> 08:43:22.129375 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
> 08:43:22.133180 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368
> 08:43:22.137965 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.144987 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
> 08:43:22.154058 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
> 
> 
> Regards,
> Steve
> 
> -- 
> 
> "They tha

[pmacct-discussion] netflow packet size

2018-01-17 Thread Stephen Clark

Hi Paolo,

Sorry for sending previous email directly to you - pmacct version is 1.62

We had been using fprobe to capture netflow data. The packets fprobe emitted
usually were 1464 bytes.

When we switched to using pmacct with the config below most of the packets are 
less
than 500 bytes. Is there something we can configure to make the packets larger 
so
there is less inefficiencies in transmission.



debug: false
pidfile: /var/run/pmacctd.pid
syslog: daemon
daemonize: true
interface: eth0
aggregate: src_host, dst_host, src_port, dst_port, proto, tos
plugins: nfprobe[eth0]
!aggregate_filter[eth0]: not host $IP
!plugin_buffer_size: 10240
!plugin_pipe_size: 81920
nfprobe_receiver: 67.109.163.27:2055
nfprobe_version: 9
nfprobe_direction[eth0]: in
nfprobe_ifindex[eth0]: 2
!pre_tag_map: /etc/pmacct_netwolves/pretag.map
!nfprobe_timeouts:
expint=5:general=60:tcp=60:tcp.rst=60:tcp.fin=60:udp=60:maxlife=60
!
! networks_file: /path/to/networks.lst
! classifiers: /path/to/classifiers/
! snaplen: 1500


*tcpdump of packets emitted by fprobe:**
*
08:39:24.052173 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:24.062333 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009242 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009335 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009442 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009525 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009592 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.009680 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.019814 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464
08:39:29.019907 IP 192.169.1.5.54417 > xxx.xxx.xxx.xxx.2055: UDP, length 1464


*tcpdump of packets from pmacct:*

08:43:22.032873 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368
08:43:22.046400 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.050473 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.055756 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.059596 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.063091 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.074011 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
08:43:22.079973 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.080027 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.080079 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.080122 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424
08:43:22.080236 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 424
08:43:22.080340 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 292
08:43:22.084008 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 480
08:43:22.084070 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.103153 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.106394 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.109548 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.112884 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.118893 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.122268 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.125993 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
08:43:22.129375 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252
08:43:22.133180 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 368
08:43:22.137965 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.144987 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 140
08:43:22.154058 IP 192.169.1.5.52087 > xxx.xxx.xxx.xxx.2055: UDP, length 252


Regards,
Steve

-- 

"They that give up essential liberty to obtain temporary safety, 
deserve neither liberty nor safety."  (Ben Franklin)

"The course of history shows that as a government grows, liberty 
decreases."  (Thomas Jefferson)

"Beer is proof God loves us and wants us to be happy!" (Ben Franklin)



signature.asc
Description: OpenPGP digital signature
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Re: [pmacct-discussion] netflow packet size

[pmacct-discussion] netflow packet size

2 matches

Site Navigation

Mail list logo

Footer information