Hi Oliver, counters make sense: you were downloading something - looks like a TCP strem - and the set of TCP ACKs has been intercepted, for a total of soma 16MB. Doing a few maths confirms this in fact packets are very small: 16732160 / 273408 = ~61 bytes.
Now, the configuration posted previously looks correct. Check on your sFlow agent what is being sampled - which interfaces and which direction - and make sure that everything you need to capture the whole stream is there. Often the traffic is sampled only uni-directionally. Once that's verified, if nothing comes up i would then suggest to debug the sFlow datagrams with sflowtool. That would rule out either the agent or the collector. Maybe it's also a good idea to specify vendor and model of the sFlow agent, maybe people reading might have useful tips. Cheers, Paolo On Thu, Sep 20, 2007 at 06:31:56PM +0200, Oliver Treck (Treck.de - the WEB energyzer) wrote: > Hi Paolo. > > Thanks for your fast response. > Yes, i'm using sFlow. > > It seems, that the additional configuration did not realy work. > Counters for packets and bytes are increased now, but they are still absurd. > > I did a download of 600MB but the counters telling: > > +----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+ > | agent_id | class_id | mac_src | mac_dst | vlan | as_src | as_dst | ip_src > | ip_dst | src_port | dst_port | tcp_flags | ip_proto | tos | packets | > bytes | flows | stamp_inserted | stamp_updated | > +----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+ > | 0 | | | | 0 | 0 | 0 | > xx.xx.x.xxx | 0.0.0.0 | 0 | 0 | 0 | | 0 | > 273408 | 16732160 | 0 | 2007-09-20 17:00:00 | 2007-09-20 17:54:23 | > +----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+ > > That's just 16MB :( > > Another Problem is, that the daemon seems to collect traffic just for > outgoing packets. > Since one week there was no entry like ip_src = 0.0.0.0 -> ip_dst = <OUR IP> > just: ip_src = <OUR IP> -> ip_dst = 0.0.0.0 > > But before there already were some of incoming packets. > > Even as long as i know that the byte counters are wrong i cannot even > say, if the outgoing and incoming traffic is summarized here in that > single entry "ip_src = <OUR IP> to ip_dst 0.0.0.0" or if it's completely > left out. > > Another problem is also, that some ip's seem not to be accounted > continuous. For an ip with high traffic load the last entry was > yesterday at 6pm. > > Do you have another idea for my problems? > > Best regards, > Oliver Treck _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
