Hey all, having an issue with a pmacct setup that seems a bit confusing to me. Didn't see anything in the mailing list archives that I think relates to this situation.
Basically what's happening is that we have two pmacct setups. 1 - a mirror of all traffic on our class C. This is the number we know is right. The setup there looks like this: debug:false interface:eth1 aggregate[in]:dst_host aggregate[out]:src_host aggregate_filter[in]: dst net 64.x.x.0/24 and not src net 64.x.x.0/24 aggregate_filter[out]: src net 64.x.x.0/24 and not dst net 64.x.x.0/24 plugins:pgsql[in], pgsql[out] sql_data:frontend sql_db:dbname sql_table:tablename sql_user:user sql_passwd:password sql_refresh_time:600 sql_optimize_clauses:true sql_history:1d sql_host:localhost sql_recovery_logfile:/home/xx/logs/recover-daily.log pidfile:/home/xx/logs/pmacctd-daily.pid sql_history_roundoff:1d plugin_pipe_size: 512000 plugin_buffer_size: 4096 ! next must be prime.... sql_cache_entries: 99991 2 - We also have a firewall out in the field which has a couple of IPs from the class C assigned to it. In theory those IPs bandwidth should match almost exactly the data from setup #1. The second servers setup looks like this: debug:false interface:eth3 aggregate[in]:dst_host,dst_mac aggregate[out]:src_host,src_mac aggregate_filter[in]: dst net (192.168.x.0/23 or 64.x.x.0/24) and not src net (192.168.x.0/23 or 64.x.x.0/24) aggregate_filter[out]: src net (192.168.x.0/23 or 64.x.x.0/24) and not dst net (192.168.x.0/23 or 64.x.x.0/24) plugins:pgsql[in], pgsql[out] sql_data:frontend sql_db:dbname sql_table:tablename sql_user:user sql_passwd:password sql_refresh_time:600 sql_optimize_clauses:true sql_history:1d sql_host:localhost sql_recovery_logfile:/opt/xx/log/pmacct/recover-daily.log pidfile:/opt/xx/log/pmacct/daily.pid sql_history_roundoff:h plugin_pipe_size: 512000 plugin_buffer_size: 4096 ! next must be prime.... sql_cache_entries: 99991 The original pmaccts were set up by someone other than me, so I'm just trying to figure it out. Basically the only difference between the two that I'm seeing is the filter in / out which is there because on #2 the ethernet we're listening on (eth3) is the internal card and we e only wanting to record data that is going out of our network, so anything from the outside world to either out 64.x or the 192.x isn't counted. I've run tcpdump on both hosts with the filters in it from the pmacct settings above and the bytes that are caught by tcpdump match properly, however the values that are written by pmacctd to the respective databases are consistantly double in #2 :( Could this be the aggregate[] setting maybe? I can't see something like that doubling what pmacctd is recording, but who knows. Any suggestions or tips *greatly* appreciated. Alan -- Alan <[EMAIL PROTECTED]> - http://arcterex.net -------------------------------------------------------------------- "Backups are for people who don't pray." -- big Mike _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
