I recently upgraded a linux host I was running pmacctd on (including an
upgrade to pmacctd), and it no longer seems to behave like it did before,
and the difference seems to boil down to the behavior of
aggregate_filter. Have the semantics for it changed much?
If I run tcpdump like the following, I see 500+ packets/second:
tcpdump -i em2 -nl dst net 10.0.0.0/8
However, when I try to collect data in pmacct (using the following
barebones config file), pmacctd captures NOTHING.
pidfile: /var/run/pmacctd.pid
interface: em2
plugin_pipe_size: 10240000
plugin_buffer_size: 10240
daemonize: false
debug: true
imt_path[min]: /tmp/pmacct_in.pipe
aggregate[min]: dst_host
aggregate_filter[min]: dst net 10.0.0.0/8
plugins: memory[min]
If I change the "aggregate_filter[min]" line so that it's invalid (e.g.
append "and ipv4" instead of "and ip" to the filter), then pmacct
captures the traffic, but it captures EVERYTHING (including ipv6
traffic, and traffic that isn't from/to 10.*).
I've replicated this behavior on my new host with pmacct 0.11.5,
.14.0rc3, and 1.5.0rc3. I have also downloaded the latest libpcap
(1.6.1) and linked against it with the same behavior......
Is this expected behavior? Or is something really broken on my system?
(I'm leaning towards the latter, but would like some confirmation.)
Thanks,
- Daniel
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
