Hi Daniel, Although if you just upgraded a system this should not be the case, is it possible you have somehow got vlans - and hence need to change your filter in:
"vlan and dst net 10.0.0.0/8" If this is not the case: then i'm puzzled as the behaviour of aggregate_filter, based on underlying libpcap, did not change (ie. take this as a confirmation). If nothing else helps, you can send me privately a brief capture of your traffic in pcap format so to reproduce it in lab against a pmacctd instance. Cheers, Paolo On Fri, Aug 22, 2014 at 06:18:29PM -0600, Daniel Carroll wrote: > I recently upgraded a linux host I was running pmacctd on (including an > upgrade to pmacctd), and it no longer seems to behave like it did before, > and the difference seems to boil down to the behavior of > aggregate_filter. Have the semantics for it changed much? > > If I run tcpdump like the following, I see 500+ packets/second: > tcpdump -i em2 -nl dst net 10.0.0.0/8 > > However, when I try to collect data in pmacct (using the following > barebones config file), pmacctd captures NOTHING. > pidfile: /var/run/pmacctd.pid > interface: em2 > plugin_pipe_size: 10240000 > plugin_buffer_size: 10240 > daemonize: false > debug: true > > imt_path[min]: /tmp/pmacct_in.pipe > aggregate[min]: dst_host > aggregate_filter[min]: dst net 10.0.0.0/8 > plugins: memory[min] > > > If I change the "aggregate_filter[min]" line so that it's invalid (e.g. > append "and ipv4" instead of "and ip" to the filter), then pmacct > captures the traffic, but it captures EVERYTHING (including ipv6 > traffic, and traffic that isn't from/to 10.*). > > I've replicated this behavior on my new host with pmacct 0.11.5, > .14.0rc3, and 1.5.0rc3. I have also downloaded the latest libpcap > (1.6.1) and linked against it with the same behavior...... > > Is this expected behavior? Or is something really broken on my system? > (I'm leaning towards the latter, but would like some confirmation.) > > Thanks, > > - Daniel > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
