Re: [pmacct-discussion] Large number of threads
Hi Paolo, On Wed, 18 Oct 2006, Paolo Lucente wrote: > If you see, such processes are not taking CPU, they are just laying out > there. This is because they are all on their LOCK, waiting for the green > light. LOCK serializes things: selects one of those processes, allows it > to do its job and terminate, then selects another one, etc. I think you're right that they weren't taking CPU, but they do take memory. And creating increasing numbers of them is unlikely to help the box come back to life after such an incident. > You should avoid such a queue to come up. It might be related to the low > specs box. But it might also be that you are not aggregating things that > much (are you?). Take a look to the discussion happened on the list just > earlier this month about database, performances, etc. Then, using MySQL, > you can also take a look to the following configuration directives in > CONFIG-KEYS: sql_dont_try_update and sql_multi_values. They usually > help. It seems to be partly related to this. The problem is that I do actually want to log a lot of data, and I want to see how much I can get away with on this old box. Preferably without killing it, because it's also our firewall and LDAP server. And it seems to be doing fine under normal conditions. But when the box does get overloaded, pmacct doesn't degrade gracefully. The original source of the problem is actually horde, which I'm trying to set up for use with pmacct-fe. While I'm configuring it, it keeps getting into a state where it just does infinite loops. Before I reined in the Apache configuration, it also tried to create 150 apache processes which is what brought the box to its knees. It's a shame that I probably won't be able to even try pmacct-fe if I can't get Horde working, because it looks good and I really want to try it. Cheers, Chris. -- (aidworld) chris wilson | chief engineer (http://www.aidworld.org) ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Large number of threads
Hi Chris, On Wed, Oct 18, 2006 at 07:01:07PM +0100, Chris Wilson wrote: > of memory (due to Apache I think), pmacctd started spawning more threads > to write to the database. I ended up with 73 processes/threads in total, > almost all database writers. > > Is this really a good idea? Wouldn't it be better to serialise database > writes to some extent, to degrade gracefully rather than spiralling to > death? Or is this already possible and I missed the config option? If you see, such processes are not taking CPU, they are just laying out there. This is because they are all on their LOCK, waiting for the green light. LOCK serializes things: selects one of those processes, allows it to do its job and terminate, then selects another one, etc. You should avoid such a queue to come up. It might be related to the low specs box. But it might also be that you are not aggregating things that much (are you?). Take a look to the discussion happened on the list just earlier this month about database, performances, etc. Then, using MySQL, you can also take a look to the following configuration directives in CONFIG-KEYS: sql_dont_try_update and sql_multi_values. They usually help. Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Classification
Hi Chris, On Wed, Oct 18, 2006 at 02:31:48PM +0100, Chris Wilson wrote: > I'd be interested to know if anyone has combined layer 7 classification > with pmacct's traffic aggregation. For example, I would like to combine > all Kazaa traffic (per minute) into a single counter. It's already there, you can get a look to the "VIII. Quickstart guide to packet classifiers" chapter in EXAMPLES. pmacct is using l7-filter stuff to do the job. So you can just get classifiers of your interest from their website, push them on your disk, and let pmacct know where they are. Also, pmacct supports shared object classifiers. This means you can grab code of your interest (ie. kazaa) from ipp2p, make it a shared object, build the hooks (you can look into the existing edonkey example) and push the file in the classifiers directory. That's pretty much the way to follow for all non string-oriented protocols. > use this hook in pmacct to grab data from the conntrack table. I don't > want to classify in user space because I also want to do traffic shaping > on P2P flows, which seems to require it to be done in the kernel, and I > don't want to do it twice. Yes, traffic shaping between interfaces should be better done in kernel. And i fully agree with you: doing the job twice is not great idea. So, if you can see a way to, say, get the flows from libpcap and classification infos from the kernel, just let me/us know as it sounds a good idea! Cheers, Paolo ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Large number of threads
Hi all, I'm running pmacct on a fairly low spec box (Celeron 366, 128 Mb RAM) with a MySQL database. It started off fine, but as the box started to run out of memory (due to Apache I think), pmacctd started spawning more threads to write to the database. I ended up with 73 processes/threads in total, almost all database writers. Is this really a good idea? Wouldn't it be better to serialise database writes to some extent, to degrade gracefully rather than spiralling to death? Or is this already possible and I missed the config option? Thanks in advance for your help. Cheers, Chris. -- (aidworld) chris wilson | chief engineer (http://www.aidworld.org) ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
Re: [pmacct-discussion] Classification
El mié, 18-10-2006 a las 14:31 +0100, Chris Wilson escribió: > Hi all, > > I'd be interested to know if anyone has combined layer 7 classification > with pmacct's traffic aggregation. For example, I would like to combine > all Kazaa traffic (per minute) into a single counter. [...] Hi Chris, Basic l7 classification is already available in pmactt, Paolo will surelly be able to comment you on this. Actually, is available both in the probe and in the collector (NFv9 or sFlow). We are working with Paolo to improve this classification using a different schema: use threads inside pmacct and if available use the help of a hardware clasiffication device. At the same time I like your idea of using state table information from Netfilter. As you say, is quite stupid to have to classify the package twice. So if you have any ideas for this, Paolo and us would surelly be interested in them. Regards -- Jaime Nebrera - [EMAIL PROTECTED] Consultor TI - ENEO Tecnologia SL Pol. PISA - C/ Manufactura 6, P1, 3B Mairena del Aljarafe - 41927 - Sevilla Telf.- 955 60 11 60 / 619 04 55 18 ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Classification
Hi all, I'd be interested to know if anyone has combined layer 7 classification with pmacct's traffic aggregation. For example, I would like to combine all Kazaa traffic (per minute) into a single counter. I'm trying to figure out how this would be done, and it seems tricky. pmacct doesn't seem to have an internal mechanism where the classifier could be attached, so I guess I would have to at least add some code for that. The most popular Linux classifiers seem to be l7-filter and ipp2p, both of which run in kernel space and work with Netfilter Conntrack. So I could use this hook in pmacct to grab data from the conntrack table. I don't want to classify in user space because I also want to do traffic shaping on P2P flows, which seems to require it to be done in the kernel, and I don't want to do it twice. Another option might be to export classified packets from the kernel with ULOG (or divert sockets on BSD), find a way to include the netfilter mark/connmark in the exported packets, and replace the pcap capture code with ULOG/divert capture code. Does anyone have any thoughts on this? Cheers, Chris. -- (aidworld) chris wilson | chief engineer (http://www.aidworld.org) ___ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
[pmacct-discussion] Quiet mode and clearing counters
Hi all,
I just started using pmacct and it looks very nice. Thanks for all your
hard work!
I discovered it by accident while searching for process accounting tools.
It doesn't seem to be widely known. I have spent a lot of time searching
for netflow probes and aggregation/graphing tools, and never found this
one before.
I made a small patch that adds a "-q" option to pmacct, which removes the
header and footer from the "-s" option. This makes it easier to work with
in scripts. Please find attached.
I couldn't understand the "pmacct -t" option (memory table stats). It just
prints incrementing numbers, seemingly forever, and when I kill the
process with ^C, pmacctd stops talking to the pipe and needs to be
restarted (potential DoS problem).
This line in pmacct.c:
else if (want_erase) printf("OK: Clearing stats.\n");
prints a message but does nothing else. That doesn't seem very useful.
Cheers, Chris.
--
(aidworld) chris wilson | chief engineer (http://www.aidworld.org)Only in pmacct-chris: config.cache
Only in pmacct-chris: config.log
Only in pmacct-chris: config.status
Only in pmacct-chris: Makefile
Only in pmacct-chris: pmacctd.conf
Only in pmacct-chris/src: acct.o
Only in pmacct-chris/src: addr.o
Only in pmacct-chris/src: bpf_filter.o
Only in pmacct-chris/src: cfg_handlers.o
Only in pmacct-chris/src: cfg.o
Only in pmacct-chris/src: classifier.o
Only in pmacct-chris/src: conntrack.o
Only in pmacct-chris/src: imt_plugin.o
Only in pmacct-chris/src: ip_flow.o
Only in pmacct-chris/src: ip_frag.o
Only in pmacct-chris/src: ll.o
Only in pmacct-chris/src: log.o
Only in pmacct-chris/src: Makefile
Only in pmacct-chris/src: memory.o
Only in pmacct-chris/src: net_aggr.o
Only in pmacct-chris/src: nfacctd
Only in pmacct-chris/src: nfacctd.o
Only in pmacct-chris/src/nfprobe_plugin: convtime.o
Only in pmacct-chris/src/nfprobe_plugin: libnfprobe_plugin.a
Only in pmacct-chris/src/nfprobe_plugin: Makefile
Only in pmacct-chris/src/nfprobe_plugin: netflow1.o
Only in pmacct-chris/src/nfprobe_plugin: netflow5.o
Only in pmacct-chris/src/nfprobe_plugin: netflow9.o
Only in pmacct-chris/src/nfprobe_plugin: nfprobe_plugin.o
Only in pmacct-chris/src/nfprobe_plugin: strlcat.o
Only in pmacct-chris/src: nfv8_handlers.o
Only in pmacct-chris/src: nfv9_template.o
Only in pmacct-chris/src: pkt_handlers.o
Only in pmacct-chris/src: plugin_hooks.o
Only in pmacct-chris/src: pmacct
diff -ru pmacct-0.11.0/src/pmacct.c pmacct-chris/src/pmacct.c
--- pmacct-0.11.0/src/pmacct.c 2006-06-26 14:24:23.0 +0100
+++ pmacct-chris/src/pmacct.c 2006-10-18 14:19:18.0 +0100
@@ -274,6 +274,7 @@
fetch_from_file = FALSE;
what_to_count = FALSE;
have_wtc = FALSE;
+ int quiet_flag = FALSE;
while (!errflag && ((cp = getopt(argc, argv, ARGS_PMACCT)) != -1)) {
switch (cp) {
@@ -439,6 +440,9 @@
q.type |= WANT_RESET;
want_reset = TRUE;
break;
+case 'q':
+ quiet_flag = TRUE;
+ break;
default:
printf("ERROR: parameter %c unknown! \n Exiting...\n\n", cp);
usage_client(argv[0]);
@@ -777,7 +781,11 @@
}
}
-write_stats_header(what_to_count, have_wtc);
+if (!quiet_flag)
+{
+ write_stats_header(what_to_count, have_wtc);
+}
+
elem = largebuf+sizeof(struct query_header);
unpacked -= sizeof(struct query_header);
while (printed < unpacked) {
@@ -865,7 +873,10 @@
elem += sizeof(struct pkt_data);
printed += sizeof(struct pkt_data);
}
-printf("\nFor a total of: %d entries\n", counter);
+if (!quiet_flag)
+{
+ printf("\nFor a total of: %d entries\n", counter);
+}
}
else if (want_erase) printf("OK: Clearing stats.\n");
else if (want_status) {
Only in pmacct-chris/src: pmacctd
diff -ru pmacct-0.11.0/src/pmacct-defines.h pmacct-chris/src/pmacct-defines.h
--- pmacct-0.11.0/src/pmacct-defines.h 2006-09-20 17:13:17.0 +0100
+++ pmacct-chris/src/pmacct-defines.h 2006-10-18 12:50:03.0 +0100
@@ -23,7 +23,7 @@
#define ARGS_NFACCTD "n:dDhP:b:f:F:c:m:p:r:s:S:L:l:v:o:R"
#define ARGS_SFACCTD "n:dDhP:b:f:F:c:m:p:r:s:S:L:l:v:o:R"
#define ARGS_PMACCTD "n:NdDhP:b:f:F:c:i:I:m:p:r:s:S:v:o:wWL:"
-#define ARGS_PMACCT "Ssc:Cetm:p:P:M:arN:n:l"
+#define ARGS_PMACCT "Ssqc:Cetm:p:P:M:arN:n:l"
#define N_PRIMITIVES 21
#define N_FUNCS 10
#define MAX_N_PLUGINS 32
Only in pmacct-chris/src: pmacctd.o
Only in pmacct-chris/src: pmacct.o
Only in pmacct-chris/src: ports_aggr.o
Only in pmacct-chris/src: pretag_handlers.o
Only in pmacct-chris/src: pretag.o
Only in pmacct-chris/src: print_plugin.o
Only in pmacct-chris/src: regexp.o
Only in pmacct-chris/src: regsub.o
Only in pmacct-chris/src: server.o
Only in pmacct-chris/src: setproctitle.o
Only in pmacct-chris/src: sfacctd
Only in pmacct-chris/src: sfacctd.o
Only in pmacct-chris/src/sfprobe_plugin: libsfprobe_plugin.a
Only in pmacct-chris/src/sfprobe_plugin: Makefile
Only in pmacct-chris/src/sfprobe_plugin: sflow_agent.o
Only in pmacct-chris/
