Hi Paolo, 1. Ok! Indeed some specific doc for pmacct would be great but there is already public doc (i.e. specific for Snort) that should be really easy to use for pmacct.
2. I don't get it. If I'm right, it is pmacct who receives traffic directly from network (through libcap) and generates the flows, so isn't pmacct who generates these fields? If I do a tcpdump on the interface I can see resolution in ms. However I did set "timestamps_secs: true" and now in nfsen it reports start time at linux epoch (1970-01-01) and the duration reports it takes until now (i.e. 1413383398.940 seconds). NFSEN Example Top 10 IP Addr ordered by flows: Date first seen Duration Proto IP Addr Flows(%) Packets(%) Bytes(%) pps bps bpp 1970-01-01 01:00:00.000 1413383398.940 any xxx.xx.xxx.xxx 3.2 M( 9.0) 10.7 M( 1.9) 2.2 G( 0.5) 0 12 204 1970-01-01 01:00:00.000 1413383398.992 any xxx.xx.xxx.xxx 2.7 M( 7.5) 65.0 M(11.6) 61.9 G(13.0) 0 350 952 3. I don't fully understand the usage of 'aggregate_primitives'. Can I see a real example somewhere? Thank you very much, Xavi -----Mensaje original----- De: pmacct-discussion [mailto:[email protected]] En nombre de Paolo Lucente Enviado el: dimecres, 15 d'octubre de 2014 10:47 Para: [email protected] Asunto: Re: [pmacct-discussion] Using pmacct instead nprobe Hi Xavier, To your questions: * No, you can't configure the amount of threads. pmacct uses coarse-grained multi-threading meaning specific functions, ie. BGP or IGP daemons, are embedded in a separate thread. Should you want to scale beyond a single core, you can use PF_RING as a "load-balancer" to multiple pmacctd's. I'm no expert of PF_RING but this has been done and, if you are interested, i can fetch the required info for you (maybe good idea to build some basic public doc in this sense). * About the specific FIRST_SWITCHED and LAST_SWITCHED issue: this is maybe because you receive times in msec resolution instead? ie. you receive field types #152 and #153 instead of #21 and #22? If this is the case you can revert to secs counters by adding to your config: "timestamps_secs: true". You can control the primitives via the 'aggregate' directive; finally you can define your own primitives via the 'aggregate_primitives' directive (much has been done here already but much is yet to come and should you have any feedback please let me know). Cheers, Paolo On Tue, Oct 14, 2014 at 09:37:38AM +0000, Xavier Romero wrote: > Hello, > > I just discovered yesterday pmacct by doing some google search and I wanted > to give it a try. > Our scenario is pretty simple: We have a pair of Linux boxes receiving port > mirrors from our network COREs which we use to generate netflows with nprobe > and visualize them with nfsen and Kibana. > > We replaced nprobe with pmacct and a very simple configuration: > daemonize: true > interface: eth2 > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > plugins: nfprobe > nfprobe_receiver: 10.60.1.69:9970 > nfprobe_version: 9 > pidfile: /var/run/pmacctd-eth2.pid > syslog: daemon > > I'm so impressed with the performance, since it's being much less > cpu-intensive than nprobe. But I've some doubts: > > * There is any way to configure thread number or something like this? > I've enabled threads at compile time but I always see just 2 threads. > > * Can I configure which fields are being informed in the generated > flow? By using pmacct instead nprobe I realize that I'm missing some fields, > i.e. FIRST_SWITCHED and LAST_SWITCHED. I see how can I define flow > aggregation and fields that can be used (-a) but not how to define which > fields will be sent in the flow. > > Thank you!, > Xavier Romero > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
