Hello Paolo,
Adding 'vlan' to the pcap filter resolved the issue! The standard output
from tcpdump didn't show any vlan encapsulation, but looking at the
pcap data in Wireshark did show that the traffic had VLAN headers in
the packets.
Thanks!
- Daniel
> Hi Daniel,
>
> Although if you just upgraded a system this should not be
> the case, is it possible you have somehow got vlans - and
> hence need to change your filter in:
>
> "vlan and dst net 10.0.0.0/8"
>
> If this is not the case: then i'm puzzled as the behaviour
> of aggregate_filter, based on underlying libpcap, did not
> change (ie. take this as a confirmation). If nothing else
> helps, you can send me privately a brief capture of your
> traffic in pcap format so to reproduce it in lab against a
> pmacctd instance.
>
> Cheers,
> Paolo
>
> On Fri, Aug 22, 2014 at 06:18:29PM -0600, Daniel Carroll wrote:
> > I recently upgraded a linux host I was running pmacctd on (including an
> > upgrade to pmacctd), and it no longer seems to behave like it did before,
> > and the difference seems to boil down to the behavior of
> > aggregate_filter. Have the semantics for it changed much?
> >
> > If I run tcpdump like the following, I see 500+ packets/second:
> > tcpdump -i em2 -nl dst net 10.0.0.0/8
> >
> > However, when I try to collect data in pmacct (using the following
> > barebones config file), pmacctd captures NOTHING.
> > pidfile: /var/run/pmacctd.pid
> > interface: em2
> > plugin_pipe_size: 10240000
> > plugin_buffer_size: 10240
> > daemonize: false
> > debug: true
> >
> > imt_path[min]: /tmp/pmacct_in.pipe
> > aggregate[min]: dst_host
> > aggregate_filter[min]: dst net 10.0.0.0/8
> > plugins: memory[min]
> >
> >
> > If I change the "aggregate_filter[min]" line so that it's invalid (e.g.
> > append "and ipv4" instead of "and ip" to the filter), then pmacct
> > captures the traffic, but it captures EVERYTHING (including ipv6
> > traffic, and traffic that isn't from/to 10.*).
> >
> > I've replicated this behavior on my new host with pmacct 0.11.5,
> > .14.0rc3, and 1.5.0rc3. I have also downloaded the latest libpcap
> > (1.6.1) and linked against it with the same behavior......
> >
> > Is this expected behavior? Or is something really broken on my system?
> > (I'm leaning towards the latter, but would like some confirmation.)
> >
> > Thanks,
> >
> > - Daniel
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
