Hi Falk, I'd essentially say you have a case of double-counting. The "slightly more than double" counters compared to the file size is due to the encapsulation on the wire of the payload. Typical reasons for double counting while using pmacctd:
* two daemons are running in parallel and writing to the same database; it might happen with libpcap. * you mirror traffic at a switch. You mirror both input and output at one or multiple interfaces. The VLAN is provisioned on such interfaces and is crossing the switch. Hence you see same traffic twice. * inter-vlan switching. Not your case since you are accounting on the VLAN id and that's the same. Just worth mentioning. Please give it a check and let me know how it goes. Cheers, Paolo On Sat, Aug 06, 2011 at 10:49:31AM +0200, Falk Brockerhoff wrote: > Hi, > > I installed a fresh debian squeeze on a box without any services (no ssh, no > ntp, ... to avoid any unwanted traffic for my test). Then I download a 100 MB > file (104857600 bytes) using wget. But in my database I see much more traffic > (more than double size of the downloaded file!) accounted. (I restarted > pmacct before beginning the test and after finished it to flush the cache, of > course) > > Can anybody tell me, what's going wrong here? > > agent_id | mac_src | mac_dst | vlan | ip_src | > ip_dst | port_src | port_dst | ip_proto | packets | bytes | > stamp_inserted | stamp_updated > ----------+-------------------+-------------------+------+----------------+----------------+----------+----------+----------+---------+-----------+---------------------+--------------------- > 0 | 00:00:00:00:00:00 | 00:00:00:00:00:00 | vlan-id | server-ip | > 0.0.0.0 | 0 | 0 | 0 | 73632 | 3867414 | > 2011-08-06 10:45:00 | 2011-08-06 10:46:21 > 0 | 00:00:00:00:00:00 | 00:00:00:00:00:00 | vlan-id | 0.0.0.0 > | server-ip | 0 | 0 | 0 | 145044 | 217521644 | > 2011-08-06 10:45:00 | 2011-08-06 10:46:21 > > My pmacct.conf looks like this: > > --snip-- > daemonize: true > promisc: true > pidfile: /var/run/pmacctd.pid > syslog: daemon > > interface: eth5 > > plugin_pipe_size: 10240000 > plugin_buffer_size: 10240 > > networks_file: /etc/pmacct/network > > plugins: pgsql[in], pgsql[out] > aggregate[in]:vlan,src_host,dst_host > aggregate[out]:vlan,src_host,dst_host > > sql_host: localhost > sql_user: user > sql_passwd: pass > sql_db: database > > sql_table_version: 2 > sql_table: accounting_%Y_%m > sql_table_schema: /etc/pmacct/acct_v2-modified.pgsql > > sql_refresh_time: 60 > sql_optimize_clauses: true > sql_history: 5m > sql_history_roundoff: m > --snap-- > > Sch?nen Gru? aus Duisburg / Regards from Duisburg, > > Falk Brockerhoff > smartTERRA Gesch?ftsf?hrung / smartTERRA CEO > > -- > Kontaktm?glichkeiten / Postal Address, Contact: > smartTERRA GmbH, Postfach 170353, 47183 Duisburg > Telefon 0211-547 610 00, Telefax 0211-547 610 01 > Meine Durchwahl / my phone: 0211-547 610 05 > > Sitz der Gesellschaft / Principal Office: > Vogelsanger Weg 91, 40470 D?sseldorf, Deutschland > GF Falk Brockerhoff, Amtsgericht D?sseldorf HR B 65811 > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
