Hi,
To confirm all daemons (pmacctd included) read a given file once. From what i read you really want to do live collection off of an interface. Paolo On Sat, Aug 11, 2018 at 12:34:41AM +0530, RAJESH KUMAR S.R wrote: > Looked at the CONFIG-KEYS doc and there were options for pcap files, So, I > tried with > " > pcap_savefile: temp.pcap > savefile_wait: true > " > > But the pmacctd is reading only once, even though the file is updated with > new packets, I'm not able to see new data on pmacct side. > > > > > On Sat, Aug 11, 2018 at 12:15 AM, RAJESH KUMAR S.R <[email protected]> > wrote: > > > Hi, > > > > I'm new to pmacct. > > I need few clarifications regarding this tool > > > > I have a doubt regarding using a pcap file as input to pmacct > > I'm trying to give a pcap file as input that gets updated continuosly. > > > > "sudo pmacctd -D -P print -r 30 -I temp.pcap -c etype,src_host,dst_host" > > > > > > The pmacctd tool exits after diplaying a list of flows. > > $ sudo pmacctd -P print -r 30 -I temp.pcap -c etype,src_host,dst_host > > ....... > > 800 172.24.1.186 > > 224.0.0.251 1 69 > > INFO ( default_print/print ): *** Purging cache - END (PID: 12988, QN: > > 272/272, ET: 0) *** > > INFO ( default/core ): OK, Exiting ... > > > > But, the file is updated continuosly. Is there any configuration to read > > from the file continuosly. > > Also, Is it possible to provide pcap input in .conf file, I used " > > pcap_interface: file_path" , but it is not working. > > > > > > Another doubt is regarding Netflow export, > > I used pmacctd with following configuration > > > > " > > daemonize:false > > pcap_interface:eth0 > > aggregate: src_host, dst_host, src_port, dst_port, proto, tos, class > > plugins: nfprobe, print > > nfprobe_receiver: 127.0.0.1:2100 > > nfprobe_version: 9 > > " > > and nfacctd with this configuration. > > " > > daemonize: false > > nfacctd_ip: 127.0.0.1 > > nfacctd_port: 2100 > > plugins: memory[display], print > > aggregate: src_host, dst_host, src_port, dst_port, proto, tos > > " > > > > nfacctd is displaying the data but most of the time exact match is not > > there between the printed data i'm seeing in pmacctd and nfacctd. > > Also, the nfacctd doesn't start collecting immediately, it takes some time > > for getting printed output in nfacctd side whereas pmacctd continuosly > > prints aggregated data. > > > > I'm not sure where I'm going wrong. > > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
