Hi All, I really hope one of you can help, we're absolutely dieing with this problem. We're an ISP and we run pmacct on a dedicated server that connects to a distribution switch on the edge of our network. We use pmacct strictly for data traffic usage reporting and customer billing.
The dedicated server is connected to a span port on the switch that mirror's all traffic going via the uplink to the next hop router, running in promiscuous mode and writing everything to a MySQL database. Most of the time the traffic is accurate, but on average 1 or 2 days each month it'll go completely crazy and show far more traffic inbound and outbound for almost every one of our IP addresses. Whatever causes this to happen is an instantaneous thing as we've been able to confirm it happens inside a 1 hour period looking at hourly traffic break downs. It also seems to be greatly influenced by the amount of genuine traffic, the busier the server the more inaccurate the results, i.e. a server that transfers on average 70 Gigabytes per month can show 50 Gigabyte in one hour in the pmacct database when the bug occurs. We've used snmp on the server network adapters and upstream router to confirm this traffic isn't real, it's contained between the switch and the pmacct dedicated server. We tried replacing the switch with a brand new Cisco 3750 and it made no difference. Our pmacct config: ! ! pmacct: In + Out ! debug: true logfile: /var/log/pmacct.log daemonize: true promisc: true interface: eth0 networks_file: /usr/local/etc/networks.def aggregate : src_host,dst_host plugins : mysql sql_db : pmacct sql_table : acct sql_table_version : 1 sql_passwd : *password removed* sql_user : pmacct sql_refresh_time : 60 sql_history : 1h sql_history_roundoff : mh Any help would be REALLY appreciated! Cheers, Mitch _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
