Hi Jaromir, On Sun, Jul 24, 2011 at 02:04:59PM +0200, Jarom?r ?ervenka wrote:
> In high traffic ( > 200 Mbit / sec.) pmacctd doesn't count all bytes and > packets. I found out that this happened when I use pretag file. I have pretag > map file with almost 3000 filters inside, for recognizing traffic which heads > outside the country. [ ... ] > I also tried to compile pmacct against PF_RING libpcap, but it didn't help. I > also tried to "play" with different buffers in configuration file, but it > didn't help either. Do you have any idea why pmacctd doesn't count all > traffic in such conditions? Then i would imagine you can spot CPU peaking at 100% ? Evaluating 3K rules against maybe ~34K pps (ie. 200Mbit @ ~750 bytes/packet) can be intensive. Can suggest a couple of things: * As Slava pointed out, pre-process raw traffic and evaluate rules in nfacctd against NetFlow datagrams. Pre-processing can be done via an external software or with pmacct - by using the nfprobe plugin. * Don't know what is the actual content of your tag rules but they are evaluated in the order you loaded them, just like you would expect of a set of firewall rules. Perhaps you can sort them placing the "most likely to be matched" rules first - and see if this is beneficial? Cheers, Paolo > 18. 7. 2011 v 13:48, Paolo Lucente: > > > Hi Jaromir, > > > > Thanks for your interest into the pmacct project. Please find below > > answers to your questions: > > > > 1) Did you compile the package with --enable-ipv6 ? > > > > 2) Is it possible it's all traffic from the outside to IP addresses > > assigned to you but not used as a result of a scan? Or you see > > unused IP addresses generating traffic? > > > > 3) 0.0.0.0 is traffic to/from some networks which are not listed as > > part of your networks.lst file. This is also briefly explained in > > the CONFIG-KEYS, networks_file part: "[ ... ] a) it allows to > > rewrite as zero IP addresses not included in any defined network > > range (ie. to avoid IP addresses external to the local domain to > > be accounted for)" > > > > Cheers, > > Paolo > > > > On Fri, Jul 15, 2011 at 11:57:41AM +0200, Jarom?r ?ervenka wrote: > >> Hello to all, > >> > >> first I must say, that pmacct is great piece of software, thanks for it. > >> May I have few questions for more advanced user, than I am? > >> > >> Let's start with my current configuration, for one server: > >> > >> pmacctd.conf: http://paste.opensuse.org/97918056 > >> networks.lst: http://paste.opensuse.org/88433187 > >> pretag.map: http://paste.opensuse.org/31181373 > >> > >> 1) First question is regarding to IPv6 i pre_tag_map file. When I put > >> IPv6 network inside, I get this error: > >> > >> INFO ( default/core ): Trying to (re)load map: /etc/pmacct/pretag.map > >> ERROR ( /etc/pmacct/pretag.map ): malformed filter: unknown network 'a01' > >> Line 2 ignored. > >> INFO ( default/core ): map '/etc/pmacct/pretag.map' successfully > >> (re)loaded. > >> > >> Is it possible to use IPv6 networks inside pre_tag_map file? I would > >> like to distinguish IPv4 and IPv6 traffic. > >> > >> 2) As you can see, I've configured pmacctd for accounting total traffic > >> for IN and OUT (in two different SQL tables), only for my two networks - > >> one is IPv4, second one IPv6. But I have just few IP addresses allocated > >> from these networks for my servers (for exapmple: 80.79.27.58- > >> 80.79.27.71). But the results shows me, that there is some communication > >> from my network to the internet from addresses, which are not assigned > >> any of my servers or ethernet cards (like .83 , .76, etc.) . How is it > >> possible? > >> > >> 3) My last question is regarding to aggregation total IN / OUT of > >> networks. In the results there is network 0.0.0.0 which has significant > >> nr. of packets and bytes. What does it mean? > >> > >> Thank you for any advice, > >> Jaromir Cervenka _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
