Hello, I have a problem with pmacct acting as a NetFlow agent/probe. I want to monitor traffic passing a cisco 4900. The probe is connected to the switch with 10Gbps link and on the switch there is a span port configured. Also I am using PF_RING on the probe and pmacct is compiled with custom libpcap provided with the PF_RING. The problem is that despite the fact that the interface gets from the switch traffic up to 3.3 Gbps (707Kpps) the pmacct reports up to 850Mbps (200Kpps, 50k flows/s). I have tried to modify the plugin_pipe_size, plugin_buffer_size, snaplen, changed the agregate config, nfprobe timeouts, maxflows, version and nothing helped. I get best results with just the simplest config but the I have a lot of errors like this:
May 31 09:16:09 sonda-plix pmacctd[19736]: ERROR ( all/nfprobe ): We are missing data. May 31 09:16:09 sonda-plix pmacctd[19736]: If you see this message once in a while, discard it. Otherwise some solutions follow: May 31 09:16:09 sonda-plix pmacctd[19736]: - increase shared memory size, 'plugin_pipe_size'; now: '3407664'. May 31 09:16:09 sonda-plix pmacctd[19736]: - increase buffer size, 'plugin_buffer_size'; now: '208'. May 31 09:16:09 sonda-plix pmacctd[19736]: - increase system maximum socket size.#012 When I increase the plugin_pipe_size the reported the errors stops, but the results drops dramaticly. Also, the softflowd has a softwlowctl to check statistics of the netflows (active flows, processed packets etc.). Is there a posibility to check those values with pmacct? The probe is a: Linux sonda-plix 3.0.0-19-server #33-Ubuntu SMP Thu Apr 19 20:32:48 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux 1 cpu with 4 cores Intel Xeon CPU 2.33GHz MemTotal: 16461176 kB pmacct config file: daemonize: true interface: eth2 syslog: daemon snaplen: 1600 plugins: nfprobe[all] !plugin_buffer_size: 10240 !plugin_pipe_size: 81920000 !plugin_pipe_size[all]: 409600000 nfprobe_receiver[all]: 10.3.10.102:9996 nfprobe_version[all]: 9 nfprobe_maxflows[all]: 3000000 nfprobe_timeouts[all]: tcp=60:tcp.rst=1:tcp.fin=1:udp=10:icmp=10:general=120:maxlife=120:expint=1 aggregate[all]: src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows,tcpflags,cos,src_as,dst_as networks_file: ./parsed_bgp nfacctd_as_new: true cat /proc/net/pf_ring/info PF_RING Version : 5.3.0 ($Revision: exported$) Ring slots : 1024000 Slot version : 13 Capture TX : No [RX only] IP Defragment : No Socket Mode : Quick Transparent mode : No (mode 2) Total rings : 1 Total plugins : 0 cat /proc/net/pf_ring/19854-eth2.3 Bound Device(s) : eth2 Slot Version : 13 [5.3.0] Active : 1 Breed : Non-DNA Sampling Rate : 1 Capture Direction : RX+TX Socket Mode : RX+TX Appl. Name : <unknown> IP Defragment : No BPF Filtering : Enabled # Sw Filt. Rules : 0 # Hw Filt. Rules : 0 Poll Pkt Watermark : 1 Num Poll Calls : 66046731 Channel Id : -1 Cluster Id : 0 Min Num Slots : 1315855 Bucket Len : 1600 Slot Len : 1632 [bucket+header] Tot Memory : -2147483648 Tot Packets : 276323830 Tot Pkt Lost : 0 Tot Insert : 276323830 Tot Read : 276323499 Insert Offset : 1101487239 Remove Offset : 1101319525 Tot Fwd Ok : 0 Tot Fwd Errors : 0 Num Free Slots : 1315524 I am exporting the netflows to nfsen collector. Could You please help me with this problem? Regards, Marcin _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
