Evening, Working with nfacctd today for the first time. Goal is to log semi-raw flow stats to a file in five minute chunks using the print plugin. Currently using this aggregation key: aggregate: src_host, dst_host, src_port, dst_port, export_proto_seqno
We want to use the seqnum to detect whether or not we have lost flows. History: When I run this kind of tcpdump on the server: tcpdump -i mgmt0 port 9996 -s 2000 I get 100% packet delivery, 0 kernel loss. When I take the seqnums out of that file, there is a static difference of 28 per seqnum, which is the number of flows exported per frame. The snaplen of 2k is critical for this to work properly. Each packet is 1.4k big, so this is a safe snaplen value. If I leave the tcpdump default of 65k snaplen, I immediately start experiencing packet loss at the kernel level. nfacctd problems: When I drum up a job in nfacctd to dump files every 5 minutes, I start seeing big gaps in sequence numbers, similar to when I left the default snaplen at 65k in tcpdump. But when I check the official nfacctd docs, the snaplen parameter does not gel with nfacctd. :( This is the config I'm using: ===== nfacctd_ip: xxxxxxxx nfacctd_port: xxxx plugin_buffer_size: 1310720 plugin_pipe_size: 134217728 nfacctd_disable_checks: false ! plugins: print ! aggregate: src_host, dst_host, src_port, dst_port, export_proto_seqno ! print_refresh_time: 60 print_history: 1m print_output: csv print_output_file: /home/mzadmin/flows-%Y%m%d-%H%M.txt print_output_file_append: true print_history_roundoff: m ! ===== The server is receiving approximately 500 UDP packets per second, which I _think_ translates to approximately 14,000 flows per second. I think the key is adding some tuning parameters to my nfacctd.conf. I've just splashed in some numbers into buffer and pipe, but I don't know if those are ideal or if there are any other settings I should be tweaking. Anyone have some advice? I swear I'm rtfm, I just need an extra push! Thanks for your attention, and kind regards, -Matt Zulawski
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
