Have a nice day,
I start using th pmacct few days ago and have some question:
Equipment schema:
( internet )---[ (gi0/0:nat_here) router AR28-40 (gi1/0) ]--{runk
vlan:2,153}--[ switch ]--{vlan 2}---> clients
|
-----{vlan 153}-> [ pmacct server ]
I use nfacct with Huawei router AR28-40 (VRP 3.40)
router side setup:
#
ip netstream export source interface GigabitEthernet1/0.2
ip netstream export host 1.2.101.3 5678
ip netstream format no-direction
#
#
interface GigabitEthernet1/0.2
description to accounting server...
ip address 1.2.101.8 255.255.255.0
vlan-type dot1q vid 2
#
interface GigabitEthernet1/0.153
description link to user's
ip address 172.XXX.255.10 255.255.255.252
ip netstream inbound
ip netstream outbound
vlan-type dot1q vid 153
pmacct I used from packages in debian/unstable:
# dpkg -l pmacct
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============================-========-===================================
ii pmacct 0.10.1-1 promiscuous mode traffic accountant
The config nfacct is:
# grep -v '^!' /etc/pmacct/nfacctd.conf
daemonize: true
syslog: daemon
pidfile: /var/run/nfacctd.pid
nfacctd_port: 5678
nfacctd_ip: 1.2.101.3
nfacctd_time_new: true
plugins: memory[mem]
aggregate[mem]: src_host, dst_host, src_port, dst_port, proto
I try to accumulate statistic's very simple:
in a crontab evry 5 min I run flowing script:
#!/bin/sh
OUT_FILE="var/input/`date '+%Y%m%d-%H%M'`"
cd /path/to/traffic
#pmacct -c src_host,dst_host -M *,* -r > $OUT_FILE
pmacct -s -e > $OUT_FILE
#exec ./pmacct.pl $OUT_FILE
The pmacct.pl used for parsing output and insert values to RRD
database.
in a directory var/input/ I have some files looks like:
SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL PACKETS
BYTES
213.180.204.36 172.XXX.22.130 80 1586 tcp 15
3437
172.XXX.126.130 195.161.119.241 4383 80 tcp 6
1852
172.XXX.126.130 89.108.65.158 4233 80 tcp 5
708
89.108.65.158 172.XXX.126.130 80 3587 tcp 8
7605
89.108.65.158 172.XXX.126.130 80 4294 tcp 4
964
213.186.114.174 172.XXX.121.194 80 62891 tcp 5
2340
But in a graphs I have strange... Look's linke I have a 100M channel into
internet, but I have physycly 10M connectivity.
In data I have:
FILENAME :SRC_IP DST_IP SRC_PORT DST_PORT PROTOCOL
PACKETS BYTES
20070125-1650:172.XXX.123.200 195.70.197.2 1185 21 tcp
6 278
20070125-1650:194.85.32.18 172.XXX.123.200 53 1039 udp
1 151
20070125-1650:195.70.197.2 172.XXX.123.200 21 1186 tcp
6 382
20070125-1650:195.70.197.2 172.XXX.123.200 21 1185 tcp
6 382
20070125-1650:172.XXX.123.200 195.70.197.2 1186 21 tcp
6 278
20070125-1650:172.XXX.123.200 194.85.32.18 1039 53 udp
1 54
20070125-1655:172.XXX.123.200 195.70.197.2 1189 55349 tcp
4 168
20070125-1655:195.70.197.2 172.XXX.123.200 21 1188 tcp
19 1601
20070125-1655:195.70.197.2 172.XXX.123.200 21 1187 tcp
9 835
20070125-1655:172.XXX.123.200 195.70.197.2 1188 21 tcp
21 1036
20070125-1655:195.70.197.2 172.XXX.123.200 55349 1189 tcp
4 987
20070125-1655:172.XXX.123.200 195.70.197.2 1190 50465 tcp
17321 735572
20070125-1655:195.70.197.2 172.XXX.123.200 50465 1190 tcp
25317 37951035
20070125-1655:172.XXX.123.200 195.70.197.2 1187 21 tcp
10 478
20070125-1700:172.XXX.123.200 195.70.197.2 1191 54368 tcp
18406 787928
20070125-1700:172.XXX.123.200 195.70.197.2 1192 58084 tcp
42 1688
20070125-1700:172.XXX.123.200 195.70.197.2 1198 52823 tcp
4 168
20070125-1700:172.XXX.123.200 195.70.197.2 1202 59843 tcp
4 168
20070125-1700:195.70.197.2 172.XXX.123.200 21 1188 tcp
65 4811
20070125-1700:195.70.197.2 172.XXX.123.200 61039 1194 tcp
25319 37951115
20070125-1700:195.70.197.2 172.XXX.123.200 57730 1196 tcp
4 653
20070125-1700:195.70.197.2 172.XXX.123.200 58084 1192 tcp
64 91726
20070125-1700:172.XXX.123.200 195.70.197.2 1201 55388 tcp
4 168
20070125-1700:195.70.197.2 172.XXX.123.200 21 1187 tcp
2 147
20070125-1700:172.XXX.123.200 195.70.197.2 1188 21 tcp
75 3822
20070125-1700:195.70.197.2 172.XXX.123.200 52823 1198 tcp
4 362
20070125-1700:172.XXX.123.200 195.70.197.2 1195 21 tcp
14 680
20070125-1700:172.XXX.123.200 195.70.197.2 1199 64433 tcp
4 168
20070125-1700:172.XXX.123.200 195.70.197.2 1194 61039 tcp
17266 729820
20070125-1700:195.70.197.2 172.XXX.123.200 61684 1193 tcp
26660 39943666
20070125-1700:195.70.197.2 172.XXX.123.200 51032 1200 tcp
4 415
20070125-1700:172.XXX.123.200 195.70.197.2 1193 61684 tcp
18254 770908
20070125-1700:195.70.197.2 172.XXX.123.200 59843 1202 tcp
4 285
20070125-1700:172.XXX.123.200 195.70.197.2 1197 58761 tcp
4 168
20070125-1700:195.70.197.2 172.XXX.123.200 54368 1191 tcp
26638 39942786
20070125-1700:195.70.197.2 172.XXX.123.200 50465 1190 tcp
1 40
20070125-1700:172.XXX.123.200 195.70.197.2 1196 57730 tcp
4 168
20070125-1700:195.70.197.2 172.XXX.123.200 64433 1199 tcp
4 346
20070125-1700:195.70.197.2 172.XXX.123.200 21 1195 tcp
13 934
20070125-1700:172.XXX.123.200 195.70.197.2 1187 21 tcp
1 40
20070125-1700:172.XXX.123.200 195.70.197.2 1200 51032 tcp
4 168
20070125-1700:195.70.197.2 172.XXX.123.200 58761 1197 tcp
4 285
20070125-1700:195.70.197.2 172.XXX.123.200 55388 1201 tcp
4 687
Summary input 155893631 bytes in 10 min, speed: 2078581,747 bit/s ~ 20Mb/s
May be some this worng ? Or my config having errors or huawei-router
export netflow somethis else that cisco ?
--
Andrey Cheromyrdin
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
