IPFM won't work with port mirroring

[ss18_2004@…]

Hi . I am using ipfm to collect traffic statistics for a small lan. My network looks like this, in a simplified way:

LAN --->eth0 | 1st server | eth1 --------> Switch with port mirroring -------> NAT Box ---> INTER

| |

Server with IPFM

The switch is a Cisco 2950 with port mirroring activated. So I am running ipfm on that server, and it's odd because it does not do what it should do. When I use iptraf on ipfm server , it shows the number of packets coming and going like when i am using it on NAT box, but the total size isn't the same. On NAT server i am having about 34000kbps total trafic and on IPFM box only 4000kbps.

When I use ibmonitor on IPFM box it shows total traffic ok. So I am asking what should I do, to make ipfm work as it should. The interface on IPFM box is set in promisc mode, but it is like the packets arent getting to ipfm. The Cisco switch is configured corectly.

Thanks in advance.

[tibob]

Hi,

with wich version of ipfm do you have this problem ? Can you try IPFM v0.12.0rc1 ? A bug made IPFM loose data under certain circumstances.

If trying v012.0rc1 does not help, can you dump 1 minute of trafic and send it to me ? You can do this with tcpdump:

tcpdump -s 0 -w dump.cap

I will also need your ipfm.conf configuration, which OS you ar using and if it makes sense the IP adresses of your network.

As these informations may be sensitive, you should avoid posting them here, and better send them to me directly (ipfm at r.cheramy.net).

Another question: I'm not sure I understood you well: the 34000kbps on the NAT box have been measured with ipfm or with another tool ?

Cheers,

tibob

[ss18_2004@…]

I have tried IPFM v0.12.0rc1 , but I have the same problem.

Let me try an explain again my problem. My servers are like this: A <--> Switch with port miroring <--> C

B(connected to the mirroring port)

A,B and C are my servers. I want to use ipfm on server B. (initialy it was something like this A<-->B<--->C , ipfm worked like a charm (on server B), but there were extra latency introduced to the traffic). So using a Catalyst 2950 with port mirroring I have tried to eliminate server B from the chain, so that trafic goes from A to B without extra latency).

Server B has one network adapter(eth0) that it's conected to the Cisco Switch. When I use tcpdump on eth0 it outputs all the packets that goes from A to C and from C to A. Iptraf instead, shows the real packet count , but total trafic is relatively small. On B I have about 4Mbits of trafic, but on C I have about 23Mbits. I am thinking that iptraf uses some higher level packet capturing librarys.

The same problem I am having with IPFM, it logs just 10% of the trafic. What can I do, I have put eth0 in promiscuous mode, but no difference. My gues is that the kernel is droping all those packets becauseit doesn'n have a routing table an it does not forward the traffic anywere. Maybe a dummy device will do the job ?

Please help.

[adm.acacio@…]

I had this problem here, after I've switched from a 100mbps interface, to a 1000mbps.. Looking at the source code, I've found a constraint named "MAX_DATA_SIZE" with the value of 100. I changed it to 1000, and now it seens to be working again :)

--- ipfm-0.12.0rc1.orig/source/data.h   2005-12-11 14:10:47.000000000 -0300
+++ ipfm-0.12.0rc1.1000/source/data.h   2007-05-31 12:46:24.000000000 -0300
@@ -28,7 +28,7 @@
 
 #include "filter.h"
 
-#define MAX_DATA_SIZE 100
+#define MAX_DATA_SIZE 1000
 
 struct ipfm_data {
   struct ipfm_data *prev, *next;