[pmacct-discussion] Weird issue with IMT

Thu, 23 Feb 2006 04:30:17 +0100 

Hi,

I'm having a strange problem when using IMT as I try to move away from
mysql and switch to using pmacct with rrd for my collection needs.

Perhaps I'm not using the IMT plugin correctly, but I'm having a weird
issue come up when I'm trying to monitor traffic.

I've configured pmacct as such
aggregate[in]: class,dst_mac,dst_host,src_port,dst_port
aggregate[out]: class,src_mac,src_host,src_port,dst_port
aggregate_filter[in]: dst net 192.168.16.0/24 and not src net
192.168.16.0/24
aggregate_filter[out]: src net 192.168.16.0/24 and not dst net
192.168.16.0/24
plugins: memory[in], memory[out]
imt_path[in]: /tmp/pmacct.in.pipe
imt_path[out]: /tmp/pmacct.out.pipe

I've also gone and configured imt_buckets and imt_mem_pools_size as
65537 and 65536, respectively, for each plugin

Here's the problem:
If I run
        pmacct -p /tmp/pmacct.in.pipe -s
Then I get output such as I would expect (example)
        CLASS             DST MAC            DST IP           SRC PORT
DST PORT  PACKETS     BYTES
        unknown           00:30:18:a5:e9:7b  192.168.16.20    25
51328     1           40
        unknown           00:0c:29:8b:5e:82  192.168.16.23    4038
1587      19          1428

If I run
        pmacct -p /tmp/pmacct.in.pipe -c dst_host -M "192.168.16.20" -n
bytes
I get a zero. So then, thinking - lets check the table - I run:
        pmacct -p /tmp/pmacct.in.pipe -c dst_host -M "192.168.16.20"
I strangely get
        CLASS             DST MAC            DST IP           SRC PORT
DST PORT  PACKETS     BYTES

        For a total of: 0 entries

Yet here's the stranger part:
If I run
        pmmact -p /tmp/pmacct.out.pipe -s
I get
        CLASS             SRC MAC            SRC IP           SRC PORT
DST PORT  PACKETS     BYTES
        unknown           00:14:22:1a:e2:c4  192.168.16.11    23445
1234      1           36
        ntp               00:04:23:b3:fd:54  192.168.16.29    123
123       5           380       

Which is what I'd expect. So let's see if I can filter on src_host by
running: 
        pmacct -p /tmp/pmacct.out.pipe -c src_host -N "192.168.16.29" -n
bytes
I get an appropriate byte counter
        552475

If I go by dst_mac, everything works fine and I get the results I would
expect (although for mac addr). Is this a bug with dst_host somehow, or
am I just using it wrong? Like I said, src_host works fine. I've tested
this against .9.3, .9.6, and .10.0rc2 and they all display the same
behaviour, so I can't help feel but I'm doing something wrong that's
just not obvious.

Thanks!

Reply via email to