Hello,
I started to check pmacct to see if it is appropriate for our needs
(per-user IP accounting for about 100 /24). I encountered a problem
with it. I'm going to debug this problem, but since I just started
with this package, it it is still difficult for me to find the exact
place to check. Any hints would be appreciated much.
The problem is: the output packet number actually contains the number
of flows, and the byte count in always 0. In addition, when using 64-bit
counters, the flows number is off (two low) by one (entries with one
flow only are even not generated).
I made the checks with the mysql plugin and then with the print plugin,
using a Netflow file converted to pcap format by "flow-export -f 1".
In order to reproduce the problem I created a small file with sample
traffic of one source IP which is sending traffic to 2 other IPs (total
of 13 entries, each one represents one flow).
Input file:
---
% flow-print -f3 < /tmp/flow-debug
srcIP dstIP prot srcPort dstPort octets packets
68.87.96.3 192.114.47.52 17 53 32769 176 1
68.87.96.3 192.114.47.52 17 53 32769 1130 6
68.87.96.3 192.114.47.52 17 53 32769 429 2
68.87.96.3 192.114.47.52 17 53 32769 254 1
68.87.96.3 192.114.47.4 17 53 32768 874 4
68.87.96.3 192.114.47.4 17 53 32768 255 1
68.87.96.3 192.114.47.52 17 53 32769 1354 7
68.87.96.3 192.114.47.4 17 53 32768 253 1
68.87.96.3 192.114.47.4 17 53 32768 231 1
68.87.96.3 192.114.47.4 17 53 32768 1110 6
68.87.96.3 192.114.47.52 17 53 32769 217 1
68.87.96.3 192.114.47.52 17 53 32769 175 1
68.87.96.3 192.114.47.4 17 53 32768 1952 19
---
Here are the results:
32-bits:
---
% flow-export -f 1 < /tmp/flow-debug | ./pmacctd -f ~amir/pmacctd-ex1.conf
flow-export: Exported 13 records
DEBUG ( default/core ): PCAP buffer: obtained 0 / 12451080 bytes.
OK ( default/core ): link type is: 1
INFO ( default/print ): Pipe size obtained: 65535 / 65532.
ID SRC MAC DST MAC VLAN SRC IP DST IP
SRC PORT DST PORT PROTOCOL TOS PACKETS FLOWS BYTES
INFO ( default/core ): finished reading the specified savefile. Exiting in few
seconds ...
0 00:00:00:00:00:00 00:00:00:00:00:00 0 68.87.96.3
192.114.47.52 0 0 ip 0 7 0 0
0 00:00:00:00:00:00 00:00:00:00:00:00 0 68.87.96.3
192.114.47.4 0 0 ip 0 6 0 0
---
Note that the packet counter is actually the number of flows, and it
is correct as such.
64-bit:
---
% flow-export -f 1 < /tmp/flow-debug | ./pmacctd -f ~amir/pmacctd-ex1.conf
flow-export: Exported 13 records
DEBUG ( default/core ): PCAP buffer: obtained 0 / 12451080 bytes.
OK ( default/core ): link type is: 1
INFO ( default/print ): Pipe size obtained: 65535 / 65532.
ID SRC MAC DST MAC VLAN SRC IP DST IP
SRC PORT DST PORT PROTOCOL TOS PACKETS FLOWS
BYTES
INFO ( default/core ): finished reading the specified savefile. Exiting in few
seconds ...
0 00:00:00:00:00:00 00:00:00:00:00:00 0 68.87.96.3
192.114.47.52 0 0 ip 0 6 0
0
0 00:00:00:00:00:00 00:00:00:00:00:00 0 68.87.96.3
192.114.47.4 0 0 ip 0 5 0
0
---
Note that one flow is missing from each target host (and still 0
byte counter). If I use a Netflow input file containing one record of
one flow, in 64-bit mode I don't get any output.
Here is the configuration file I used for the test above:
---
debug: true
pcap_savefile: -
promisc: false
plugins: print
print_refresh_time: 1
aggregate: src_host,dst_host
plugin_pipe_size: 12451080
plugin_buffer_size: 760
---
(I increased the plugin_pipe_size and plugin_buffer_size for a test
of a multi-tens MB Netflow input file - but the problem is the same even
if they are commented out.)
BTW, without "print_refresh_time: 1" pmacct didn't produce any output.
Value of 2 worked too, but 5 or more didn't work. I don't know if this
is an intended behavior, but maybe pmacct should flush all yet-unflushed
entries before it ends independent of the setup of print_refresh_time.
Other info:
gcc version 3.2.2 20030222
Red Hat 9
Compiled with and then without -O2
Thanks,
Amir
