Hello, I did port mirroring on our core switch with tagged vlans. The whole traffic is mirrored on one port and it is analysed by the snort ids. However I would like to have traffic accounting based on src_host and dst_host.
Here are the stats from the core router for the choosen IP: TX: 39.5MB RX: 860KB and here are from the pmacctd: $ ./pmacct -c src_host -N 192.168.X.Y ; ./pmacct -c dst_host -N 192.168.X.Y 886350 4630116 As you can see there is a huge difference between TX data count from core router and pmacct running box. pmacctd deamon was started with following parameters: # pmacctd -D -c src_host,dst_host -i eth1 vlan pmacctd does not any accounting if it was run without filter (vlan ). The same way behaves tcpdump. It does not intercept any traffic if there was not 'vlan' string (example: tcpdump -i ethX -n vlan and '....' ). Box: Linux booboo 2.4.30-ow1 libpcap version 0.8.3 Ideas?
