From anandb at ripe.net Tue Jul 9 15:00:35 2013 From: anandb at ripe.net (Anand Buddhdev) Date: Tue, 09 Jul 2013 17:00:35 +0200 Subject: [dsc] Duplicate packets captured Message-ID: <51DC2593.7000206@ripe.net> Hello DSC users, We've noticed a strange issue with our DSC installation. We have a CentOS 6 server, with libpcap 1.0.0 (part of the base CentOS installation). We run multiple collectors, with configurations like these: interface eth0; local_address 193.0.9.X; local_address 2001:67c:e0::X; bpf_program "host 193.0.9.X or host 2001:67c:e0::X"; run_dir "/export/dsc/data.X"; pid_file "/var/run/dsc.X.pid"; minfree_bytes 5000000; We run the collector like this: "dsc -f /etc/dsc.X.conf". We are not using the "-p" option. We know from our BIND server stats and from interface packet counts that this server receives about 20,000 q/s in total to its various IP addresses. However, our DSC graphs show this server as receiving over 70,000 q/s. The pcap_stats.dat files show: 1373241600 filter_received eth0:1116957 pkts_captured eth0:1064507 kernel_dropped eth0:52454 1373241660 filter_received eth0:1170577 pkts_captured eth0:1086713 kernel_dropped eth0:83863 1373241720 filter_received eth0:1179544 pkts_captured eth0:1114259 kernel_dropped eth0:65283 In comparison, on a similar box, which also receives about 20,000 q/s, and with identical configuration for the collectors, the graphs show an accurate query rate. Also, the pcap_stats.dat files show: 1373241600 filter_received eth0:28470 pkts_captured eth0:28470 1373241660 filter_received eth0:24789 pkts_captured eth0:24788 1373241720 filter_received eth0:28389 pkts_captured eth0:28385 Has anyone else experienced this phenomenon where the dsc collector is counting packets more than once, and exaggerating the query rates? If so, is it a libpcap issue or bug? Is there any known work-around? Regards, Anand From howard.m.kash.civ at mail.mil Tue Jul 9 15:32:28 2013 From: howard.m.kash.civ at mail.mil (Kash, Howard M CIV (US)) Date: Tue, 9 Jul 2013 15:32:28 +0000 Subject: [dsc] Duplicate packets captured (UNCLASSIFIED) In-Reply-To: <51DC2593.7000206@ripe.net> References: <51DC2593.7000206@ripe.net> Message-ID: <8B01299690A8A94AB8629283FAFED8F1343514B0@umechpha.easf.csd.disa.mil> Classification: UNCLASSIFIED Caveats: NONE I believe the address(es) of the server (local_address values) are automatically included in the BPF filter. Also putting them in bpf_program may result in duplicates? Normally the bpf_program is just "port 53". Howard -----Original Message----- From: dsc-bounces at measurement-factory.com [mailto:dsc-bounces at measurement-factory.com] On Behalf Of Anand Buddhdev Sent: Tuesday, July 09, 2013 11:01 AM To: dsc at measurement-factory.com Subject: [dsc] Duplicate packets captured Hello DSC users, We've noticed a strange issue with our DSC installation. We have a CentOS 6 server, with libpcap 1.0.0 (part of the base CentOS installation). We run multiple collectors, with configurations like these: interface eth0; local_address 193.0.9.X; local_address 2001:67c:e0::X; bpf_program "host 193.0.9.X or host 2001:67c:e0::X"; run_dir "/export/dsc/data.X"; pid_file "/var/run/dsc.X.pid"; minfree_bytes 5000000; We run the collector like this: "dsc -f /etc/dsc.X.conf". We are not using the "-p" option. We know from our BIND server stats and from interface packet counts that this server receives about 20,000 q/s in total to its various IP addresses. However, our DSC graphs show this server as receiving over 70,000 q/s. The pcap_stats.dat files show: 1373241600 filter_received eth0:1116957 pkts_captured eth0:1064507 kernel_dropped eth0:52454 1373241660 filter_received eth0:1170577 pkts_captured eth0:1086713 kernel_dropped eth0:83863 1373241720 filter_received eth0:1179544 pkts_captured eth0:1114259 kernel_dropped eth0:65283 In comparison, on a similar box, which also receives about 20,000 q/s, and with identical configuration for the collectors, the graphs show an accurate query rate. Also, the pcap_stats.dat files show: 1373241600 filter_received eth0:28470 pkts_captured eth0:28470 1373241660 filter_received eth0:24789 pkts_captured eth0:24788 1373241720 filter_received eth0:28389 pkts_captured eth0:28385 Has anyone else experienced this phenomenon where the dsc collector is counting packets more than once, and exaggerating the query rates? If so, is it a libpcap issue or bug? Is there any known work-around? Regards, Anand _______________________________________________ dsc mailing list dsc at measurement-factory.com http://www.measurement-factory.com/mailman/listinfo/dsc Classification: UNCLASSIFIED Caveats: NONE From thomas at dupas.be Tue Jul 9 15:37:40 2013 From: thomas at dupas.be (Thomas Dupas) Date: Tue, 9 Jul 2013 17:37:40 +0200 Subject: [dsc] Duplicate packets captured (UNCLASSIFIED) In-Reply-To: <8B01299690A8A94AB8629283FAFED8F1343514B0@umechpha.easf.csd.disa.mil> References: <51DC2593.7000206@ripe.net> <8B01299690A8A94AB8629283FAFED8F1343514B0@umechpha.easf.csd.disa.mil> Message-ID: We are running a multi-instance dsc collector on our nameservers. I'm fairly certain that the local_address values are not included in the bpf_program filter, since we were receiving duplicate packets over the multiple instances at first. I believe the local_address is only used for things like "direction" of a packet etc? Br, Thomas On 09 Jul 2013, at 17:32, "Kash, Howard M CIV (US)" > wrote: Classification: UNCLASSIFIED Caveats: NONE I believe the address(es) of the server (local_address values) are automatically included in the BPF filter. Also putting them in bpf_program may result in duplicates? Normally the bpf_program is just "port 53". Howard -----Original Message----- From: dsc-bounces at measurement-factory.com [mailto:dsc-bounces at measurement-factory.com] On Behalf Of Anand Buddhdev Sent: Tuesday, July 09, 2013 11:01 AM To: dsc at measurement-factory.com Subject: [dsc] Duplicate packets captured Hello DSC users, We've noticed a strange issue with our DSC installation. We have a CentOS 6 server, with libpcap 1.0.0 (part of the base CentOS installation). We run multiple collectors, with configurations like these: interface eth0; local_address 193.0.9.X; local_address 2001:67c:e0::X; bpf_program "host 193.0.9.X or host 2001:67c:e0::X"; run_dir "/export/dsc/data.X"; pid_file "/var/run/dsc.X.pid"; minfree_bytes 5000000; We run the collector like this: "dsc -f /etc/dsc.X.conf". We are not using the "-p" option. We know from our BIND server stats and from interface packet counts that this server receives about 20,000 q/s in total to its various IP addresses. However, our DSC graphs show this server as receiving over 70,000 q/s. The pcap_stats.dat files show: 1373241600 filter_received eth0:1116957 pkts_captured eth0:1064507 kernel_dropped eth0:52454 1373241660 filter_received eth0:1170577 pkts_captured eth0:1086713 kernel_dropped eth0:83863 1373241720 filter_received eth0:1179544 pkts_captured eth0:1114259 kernel_dropped eth0:65283 In comparison, on a similar box, which also receives about 20,000 q/s, and with identical configuration for the collectors, the graphs show an accurate query rate. Also, the pcap_stats.dat files show: 1373241600 filter_received eth0:28470 pkts_captured eth0:28470 1373241660 filter_received eth0:24789 pkts_captured eth0:24788 1373241720 filter_received eth0:28389 pkts_captured eth0:28385 Has anyone else experienced this phenomenon where the dsc collector is counting packets more than once, and exaggerating the query rates? If so, is it a libpcap issue or bug? Is there any known work-around? Regards, Anand _______________________________________________ dsc mailing list dsc at measurement-factory.com http://www.measurement-factory.com/mailman/listinfo/dsc Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ dsc mailing list dsc at measurement-factory.com http://www.measurement-factory.com/mailman/listinfo/dsc From anandb at ripe.net Tue Jul 9 16:16:56 2013 From: anandb at ripe.net (Anand Buddhdev) Date: Tue, 09 Jul 2013 18:16:56 +0200 Subject: [dsc] Duplicate packets captured In-Reply-To: <51DC2593.7000206@ripe.net> References: <51DC2593.7000206@ripe.net> Message-ID: <51DC3778.6060100@ripe.net> On 09/07/2013 17:00, Anand Buddhdev wrote: > Hello DSC users, > > We've noticed a strange issue with our DSC installation. We have a > CentOS 6 server, with libpcap 1.0.0 (part of the base CentOS > installation). We run multiple collectors, with configurations like these: > > interface eth0; > local_address 193.0.9.X; > local_address 2001:67c:e0::X; > bpf_program "host 193.0.9.X or host 2001:67c:e0::X"; > run_dir "/export/dsc/data.X"; > pid_file "/var/run/dsc.X.pid"; > minfree_bytes 5000000; I hate to answer my own question, but upon further investigation, I found the issue. The DSC sample configuration file clearly says that the interface option must go *after* the bpf_program. Changing the order around has eliminated the duplicates, and the graphs now look normal again. Apologies for the noise :( Regards, Anand From fredr at geexology.org Wed Jul 17 21:55:40 2013 From: fredr at geexology.org (Fred Richards) Date: Wed, 17 Jul 2013 17:55:40 -0400 Subject: [dsc] perl errors? Message-ID: Hello all, I have dsc setup as a collector, and I'm using my local archlinux machine as a presenter. I have the files coming over via rsync, and on the presenter machine, I've checked out the latest svn and using that. When I go to run the dsc-grapher.pl script, it complains about one specific line (and it looks fine to me), under the seconds_to_units sub: foreach my $u qw(years weeks days hours minutes) { The perl errors are below and only really cover the last 3 subroutines in grapher.pm, the ~1600 lines are from html_markup and the ~1580 lines from seconds_to_units "my" variable $self masks earlier declaration in same scope at /usr/share/perl5/site_perl/DSC/grapher.pm line 1604. "my" variable $buf masks earlier declaration in same scope at /usr/share/perl5/site_perl/DSC/grapher.pm line 1608. syntax error at /usr/share/perl5/site_perl/DSC/grapher.pm line 1580, near "$u qw(years weeks days hours minutes)" Global symbol "$u" requires explicit package name at /usr/share/perl5/site_perl/DSC/grapher.pm line 1581. Global symbol "$v" requires explicit package name at /usr/share/perl5/site_perl/DSC/grapher.pm line 1586. syntax error at /usr/share/perl5/site_perl/DSC/grapher.pm line 1588, near "}" syntax error at /usr/share/perl5/site_perl/DSC/grapher.pm line 1601, near "}" syntax error at /usr/share/perl5/site_perl/DSC/grapher.pm line 1620, near "}" Compilation failed in require at ./dsc-grapher.pl line 7. BEGIN failed--compilation aborted at ./dsc-grapher.pl line 7. -- Fred R