I'm having problem with running pmacct with mysql in a slackware 10.2
I tested software (Pmacct version is 10.3) in a bridged host.
Here is my config.
debug: true
interface: br0
daemonize: true
pcap_filter: !broadcast
!
sql_db: multilink2
sql_table_version: 1
sql_passwd: multilink
sql_user: root
sql_refresh_time: 60
sql_optimize_clauses: true
sql_aggressive_classification: true
classifiers: /var/protocols
snaplen: 800
!
aggregate[total]: none
aggregate_filter[total]: not src and dst net (172.16.0.0/12 or 192.168.0.0/16 or 10.0.0.0/8)
!
aggregate[tot_in]: class,dst_mac,src_host,dst_host,src_port,dst_port,proto
aggregate_filter[tot_in]: dst net (172.16.0.0/12 or 192.168.0.0/16 or 10.0.0.0/8) and not src net (172.16.0.0/12 or 192.168.0.0/16 or 10.0.0.0/8)
!
aggregate[tot_out]: class,src_mac,src_host,dst_host,src_port,dst_port,proto
aggregate_filter[tot_out]: src net (172.16.0.0/12 or 192.168.0.0/16 or 10.0.0.0/8) and not dst net (172.16.0.0/12 or 192.168.0.0/16 or 10.0.0.0/8)
!
plugins: mysql[tot_out], mysql[tot_in], mysql[total]
sql_table[tot_in]: acct_totin_%Y_%m
sql_table[tot_out]: acct_totout_%Y_%m
sql_table[total]: acct_total_%Y_%m
!
sql_history[total]: 1M
sql_history_roundoff[total]: M
sql_history[tot_in]: 1h
sql_history_roundoff[tot_in]: mh
sql_history[tot_out]: 1h
sql_history_roundoff[tot_out]: mh
I found into the log file some unusual packet format. Example:
Sep 5 09:25:05 bridge pmacctd[5833]: DEBUG ( tot_in/mysql ): UPDATE acct_totin_2006_09 SET packets=packets-2, bytes=bytes-88, stamp_updated=now() WHERE FROM_UNIXTIME(1157439600) = stamp_inserted AND mac_dst='00:08:54:01:fd:cb' AND ip_src=' 212.72.49.131' AND ip_dst='172.16.8.11' AND src_port=80 AND dst_port=1801 AND ip_proto='tcp' AND class_id='unknown'
Sep 5 09:25:05 bridge pmacctd[5834]: DEBUG ( tot_out/mysql ): UPDATE acct_totout_2006_09 SET packets=packets-3, bytes=bytes-303, stamp_updated=now() WHERE FROM_UNIXTIME(1157439600) = stamp_inserted AND mac_src='00:08:54:01:fd:cb' AND ip_src=' 172.16.8.11' AND ip_dst='212.72.49.131' AND src_port=1801 AND dst_port=80 AND ip_proto='tcp' AND class_id='unknown'
Sep 5 09:27:01 bridge pmacctd[5899]: DEBUG ( tot_out/mysql ): UPDATE acct_totout_2006_09 SET packets=packets-2, bytes=bytes-88, stamp_updated=now() WHERE FROM_UNIXTIME(1157439600) = stamp_inserted AND mac_src='00:08:54:01:fd:cb' AND ip_src=' 192.168.16.29' AND ip_dst='217.12.186.22' AND src_port=2470 AND dst_port=110 AND ip_proto='tcp' AND class_id='unknown'
Sep 5 09:27:03 bridge pmacctd[5953]: DEBUG ( tot_in/mysql ): UPDATE acct_totin_2006_09 SET packets=packets-1, bytes=bytes-48, stamp_updated=now() WHERE FROM_UNIXTIME(1157439600) = stamp_inserted AND mac_dst='00:08:54:01:fd:cb' AND ip_src=' 217.12.186.22' AND ip_dst='192.168.16.29' AND src_port=110 AND dst_port=2470 AND ip_proto='tcp' AND class_id='unknown'
Sep 5 09:31:01 bridge pmacctd[6162]: DEBUG ( tot_in/mysql ): UPDATE acct_totin_2006_09 SET packets=packets-2, bytes=bytes-88, stamp_updated=now() WHERE FROM_UNIXTIME(1157439600) = stamp_inserted AND mac_dst='00:08:54:01:fd:cb' AND ip_src=' 212.48.11.21' AND ip_dst='192.168.16.99' AND src_port=80 AND dst_port=1092 AND ip_proto='tcp' AND class_id='unknown'
the strange aspect is that packets and bytes short themself (packets=packets-2 and bytes=bytes-88)
(in ita: la dimensione decrementa invece di incrementarsi)
Then, in database (Mysql) I found a record with an overflow value in acct_totin and acct_totout table. In 1 minute this
record reaches the biggest possible dimension. In a log file I didn't found the relative line of this error.
I found same error in another host without bridged mode, where "bytes" were overflow and packets 0
Instead, in table acct_total I didn't found error and record "packets" and "bytes" are ok
Do you know what about it?
Do you think that it's because of my possible wrong conf?
Please, help me
Thanks and i'm sorry for my english
Greetings
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
