Not sure if anyone is still out there -- I'm running into issues with
fprobe-ulog and thought I'd ask. :)
Have a Linux box with an interface connected to a span port on one of
our primary uplinks. The link is nearly saturated so there's routinely
800+Mbps of traffic coming in to the interface on the Linux Box.
pcap based fprobe by itself is *probably* dropping packets -- I really
don't know how to confirm this, but tcpdump reports it's dropping
packets so presumably fprobe would as well since they both depend on
pcap. Regardless, I'm seeing well over 50K+ pps on this interface
using the pcap based fprobe.
Am trying to use fprobe-ulog, but since our interface doesn't have an
IP on it, had to enable bridge-netfilter, set up a bridge interface
with the real interface as the sole member, and am using the following
to emit ulog packet information:
iptables -A PREROUTING -t nat -i br3 -j ULOG --ulog-nlgroup 3 \
--ulog-cprange 256
iptables -L -v -x -n counters show ~75K pps and ulogd with the pcap
plugin shows something similar.
(Oddly enough, though counters increment the same way when using the
PREROUTING chain in the "raw" table vs. nat, the information doesn't
seem to reach userspace)
However, fprobe-ulog seems to be emitting information about _far_ fewer
packets and I'm not sure why.
Am using the following command:
fprobe-ulog -U 3 -B4096 -r2 -q10000 -t10000:10000000 127.0.0.1:9993
But can see via tcpdump -i lo port 9993 that not much flow information
is being sent to my collector, and a review of the flow information
shows only ~5700 pps -- much worse than the pcap-based fprobe!
Any idea where I'm going wrong here?
Thanks,
Ray
_______________________________________________
Flow-tools mailing list
[email protected]
http://mailman.splintered.net/mailman/listinfo/flow-tools
