Hello Piotr, On Wed, Jun 15, 2005 at 07:11:43PM +0200, Piotr Szlenk wrote:
> I did port mirroring on our core switch with tagged vlans. The whole > traffic is mirrored on one port and it is analysed by the snort ids. > However I would like to have traffic accounting based on src_host and > dst_host. > > Here are the stats from the core router for the choosen IP: > TX: 39.5MB > RX: 860KB > > and here are from the pmacctd: > $ ./pmacct -c src_host -N 192.168.X.Y ; ./pmacct -c dst_host -N 192.168.X.Y > 886350 > 4630116 > > As you can see there is a huge difference between TX data count from > core router and pmacct running box. > > pmacctd deamon was started with following parameters: > # pmacctd -D -c src_host,dst_host -i eth1 vlan Try generating just a little traffic toward the monitored host and compare how pmacctd and some other tool (tcpdump, ethereal, ...) behave. Do they behave the same way ? This might give an idea on where the problem is. What do you mean when you say 'the whole traffic is mirrored' ? Can you supply a trivial ASCII scheme representing the mirror configuration on a port basis ? I mean, mirroring both inbound and outbound traffic for each port of the switch would produce plenty duplicates somewhere. > pmacctd does not any accounting if it was run without filter (vlan ). > The same way behaves tcpdump. It does not intercept any traffic if there > was not 'vlan' string (example: tcpdump -i ethX -n vlan and '....' ). The BPF filter need to be instructed whether it has to expect tagged or untagged packets. This is because when a BPF filter is applied and packets are 8021Q-tagged, the 'vlan' keyword is mandatory. Cheers, Paolo
