Hi, I have a strange problem again. I already tested the newest CVS version but it persists:
I use four aggregates: - inbound: incoming traffic for local IPs - outbound: outgoing traffic for local ips - TMPflowSRC: short time local outgoing udp traffic (with a short port list) - TMPflowDST: short time udp traffic (after destination address) to be able to identify potential outgoing ddos Everything worked fine for some time but today I found that TMPflowSRC accounts almost no traffic anymore and if its accounts mostly IPv6 addresses. Sadly in this network IPv6 traffic is less than 4% so there must be some fault in my configuration. With debug enabled the initialization of the three aggregates with a network filter looks identical, so there shouldn’t be the problem. commenting out the port-List didn’t help either. My configuration: ! pmacctd configuration ! ! ! daemonize: true pidfile: /var/run/pmacctd.pid syslog: daemon ! aggregate[inbound]: dst_host aggregate[outbound]: src_host,proto aggregate[TMPflowSRC]: src_host,src_port,proto aggregate[TMPflowDST]: dst_host,proto aggregate_filter[TMPflowSRC]: udp aggregate_filter[TMPflowDST]: udp plugins: mysql[inbound], mysql[outbound], mysql[TMPflowSRC], mysql[TMPflowDST] sql_table[inbound]: acct_%Y_%m_in sql_table[outbound]: acct_%Y_%m_out sql_table[TMPflowSRC]: acct_TMPflowSRC sql_table[TMPflowDST]: acct_TMPflowDST sql_table_schema[inbound]: /etc/pmacct/inbound.schema sql_table_schema[outbound]: /etc/pmacct/outbound.schema networks_file[inbound]: /etc/pmacct/networks networks_file[outbound]: /etc/pmacct/networks networks_file[TMPflowSRC]: /etc/pmacct/networks ports_file[TMPflowSRC]: /etc/pmacct/portsudp networks_file_filter: true interface: eth0 ! storage methods sql_db: pmacct sql_table_version: 4 sql_passwd: <secret> sql_user: pmacct sql_refresh_time: 60 sql_optimize_clauses: true sql_history: 1m sql_history_roundoff: m sql_multi_values: 12000000 sql_cache_entries: 64000 pmacctd_flow_buffer_buckets: 4096 sql_dont_try_update: true plugin_buffer_size: 163840 plugin_pipe_size: 40960000 Any ideas where to look? greetings Johannes _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
