Re: [pmacct-discussion] Problems with accounting with pmacct

[Oliver Treck (Treck.de - the WEB energyzer)]

Hi Paolo.

Thanks for your fast response.
Yes, i'm using sFlow.

It seems, that the additional configuration did not realy work.
Counters for packets and bytes are increased now, but they are still absurd.

I did a download of 600MB but the counters telling:

+----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+
| agent_id | class_id | mac_src | mac_dst | vlan | as_src | as_dst | ip_src     
 | ip_dst  | src_port | dst_port | tcp_flags | ip_proto | tos | packets | bytes 
   | flows | stamp_inserted      | stamp_updated       |
+----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+
|        0 |          |         |         |    0 |      0 |      0 | 
xx.xx.x.xxx | 0.0.0.0 |        0 |        0 |         0 |          |   0 |  
273408 | 16732160 |     0 | 2007-09-20 17:00:00 | 2007-09-20 17:54:23 |
+----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+

That's just 16MB :(


Since one week there was no entry like ip_src = 0.0.0.0 -> ip_dst = <OUR IP>
just: ip_src = <OUR IP> -> ip_dst = 0.0.0.0

But before there already were some of incoming packets.





Do you have another idea for my problems?

Best regards,
Oliver Treck




Paolo Lucente schrieb:

Another Problem is, that the daemon seems to collect traffic just for outgoing packets. Even as long as i know that the byte counters are wrong i cannot even say, if the outgoing and incoming traffic is summarized here in that single entry "ip_src = <OUR IP> to ip_dst 0.0.0.0" or if it's completely left out. Another problem is also, that some ip's seem not to be accounted continuous. For an ip with high traffic load the last entry was yesterday at 6pm.

Hi Oliver,

you seem to be using sFlow. If that's the case, you might have to multiply
the bytes counter by the sampling rate to get a pretty accurate view of the
traffic. You can make pmacct to renormalize the counters for you by adding
the following line to your config:

sfacctd_renormalize: true

Hope this helps.

Cheers,
Paolo

On Wed, Sep 19, 2007 at 11:09:31AM +0200, Oliver Treck (Treck.de - the WEB 
energyzer) wrote:

Hello.

I'm new in this and have some problems with pmacct.


I set up pmacct with the following configuration:

daemonize: true
pidfile: /var/run/sfacctd.pid
syslog: daemon
sfacctd_port: 6000
sfacctd_ip: <LOKAL-IP>
aggregate: src_host,dst_host
networks_file: /etc/traffic/networks
plugins: mysql
plugin_pipe_size: 10240000
plugin_buffer_size: 10240
sql_host: localhost
sql_user: <MYSQL-USER>
sql_passwd: <MYSQL-PASS>
sql_db: pmacct
sql_table: acct_v7
sql_table_version: 7
sql_refresh_time: 5
sql_optimize_clauses: true
sql_history: 1h
sql_history_roundoff: m



This for example are the entries for a hight traffic ip-address:

<snip-snip>







Best regards,
Oliver Treck

I want to make an accounting for a hole subnet with large numbers of IPs. The accounting should primary used for billing the use of traffic. This works in that way, that it fills the MySQL-Table with lots of data. And internal traffic (network-ip to network-ip) is seperated from traffic to the outside world. The only Problem i have is, that the bytes-values are absolutely impossible. Here for "2007-09-13 12:00:00" it tells me the IP used "162458" bytes and 159 Packets in that hour. That means it used just 159kb traffic??? That is absolutly impossible for this ip and has to be much more. Is it possible, that i have to multiply the bytes value with the packets-value? Or are the bytes values already rounded to megabyte? I'm quite a bit confused about how to read this results and if they are realy trustable. I would be glad, if someone could tell me how to understand this ad if i'm doing something wrong.

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

begin:vcard
fn:Oliver Treck
n:Treck;Oliver
org:Treck.de - the WEB energyzer
adr:;;Rektor-Kruse-Weg 13;Iserlohn;NRW;58644;Deutschland
email;internet:[EMAIL PROTECTED]
title:Inhaber
tel;work:+49-2371-779701
tel;fax:+49-2371-779702
tel;cell:+49-160-94168378
url:http://www.treck.de
version:2.1
end:vcard

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists