Hi Mike, On Tue, Nov 17, 2009 at 02:27:06PM +0300, Mike Lykov wrote:
> > I would suggest a couple of checks: > > * see if HTTP traffic is reaped by some other classifier, but i guess > > you might have already checked that. > > if class_id = unknown, i think it's not this case. Yes, correct. But are you getting all the web traffic? I mean, I see you are a) not collecting TCP/UDP ports and b) using an aggregate_filter. Is it web traffic the one left as "unknown" or something else? Any chance some web traffic is being filtered out, ie. because some mirrored data is VLAN-tagged? You can test this by commenting out the aggregate_filter. > > * see if the HTTP classifier is written correctly. Not referring only > > to the regexp but to the overall syntax. The implemented format is > > *veeery* sensible to tabs, spaces, white lines, etc. So try to keep > > it essential. Strip comments and empty lines out. > > I delete all comments from file > > [r...@router ~]# cat /var/local/pmacct/classifiers/http.pat > http > http/(0\.9|1\.0|1\.1) [1-5][0-9][0-9] [\x09-\x0d > -~]*(connection:|content-type:|content-length:|date:)|post [\x09-\x0d -~]* > http/[01]\.[019] > > What else may I try to? Try with a simplified (and polished up) filter. See if the memory table plugin behaves any differently/better compared to the SQL one (this is an always-good troubleshooting step). Increase classification tentatives although with http traffic it should make no difference. After all, if http-marked traffic makes it in the database, as per your previous email, it means the regexp engine itself is working. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists