Must be some interface numbers that you aren't matching. Try filter any flows for oid's that you arent matching.
i.e. something like:
flowcat <flow> | flow-stat -f23 | grep "if numbers not matching in your list"
(or using flow-filter instead of grep if you want totals)
Check for ifindex 0. I notice a bit of my traffic is labeled with a 0 oid.
Regards, Steve
----- Original Message ----- From: <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, February 10, 2005 11:27 PM
Subject: [Flow-tools] incoming/outging/all difference...i dont understand
Hi,
I trying to make all kinds of scripts for our company to measure the
backbone traffice.
Before i start, i must first understand netflow and the way it measures.
I've attached an PNG file with our network and the places where i put 'ip
route-cache flow' command on.
Green dots are interface to measure outbound and red dots are interfaces to
measure inbound.
First i made 2 scripts to determin the incomming/outging, becuase i want to be sure that the scripts and filters i make are correct, i check those against all data.
all data:
flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-stat -f15
# Octets Packets MBytes # 20934728442 39051555 20934.728
incoming-data:
flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-nfilter -f nfilter-file -F all-incoming-traffic | flow-stat -f15
# Octets Packets MBytes # 12443827147 20067449 12443.827
outgoing-data:
flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-nfilter -f nfilter-file -F all-outgoing-traffic | flow-stat -f15
# Octets Packets MBytes # 7216875959 16302298 7216.876
The total of 12443.827 + 7216.876 = 19660.703 MB But the 'real' total from the flow-stat without filter was 20934.728, so i have short 1274.025 MB in 5 minutes!!!
So i thougth the total is also included with 'inter-core' (traffic between core routers). That's why i made the inter-backbone filter.
flow-cat /data/2005-02-09/ft-v05.2005-02-09.123722+0100 | flow-nfilter -f nfilter-file -F inter-backbone | flow-stat -f15
# Octets Packets MBytes # 3071929966 4910315 3071.930
This is way to much......so i'm desperate now....i can't find where the difference is comming from and it stops me from going on with make an nice application for my company.
Please can somebody think with me on this!! That would be great!!
Greetz,
Jeroen Wolff Netherlands
nfilter-file:
filter-primitive asd7ro1 type ip-address permit 195.7.128.252
filter-primitive asd7ro3 type ip-address permit 195.7.128.251
filter-primitive asd10ro1 type ip-address permit 195.7.128.250
filter-primitive telia-if-asd7ro3 type ifindex permit 4
filter-primitive amsix-if-asd7ro3 type ifindex permit 3
filter-primitive carrier1-if-asd7ro1 type ifindex permit 5
filter-primitive tsystems-if-asd7ro1 type ifindex permit 2
filter-primitive amsix-if-asd10ro1 type ifindex permit 9
filter-primitive carrier1-if-asd10ro1 type ifindex permit 1
filter-primitive globalx-if-asd10ro1 type ifindex permit 6
filter-primitive po1-0-asd7ro3 type ifindex permit 1
filter-primitive fa2-0-asd7ro3 type ifindex permit 5
filter-primitive po10-1-0-asd10ro1 type ifindex permit 1
filter-primitive fa5-0-0-asd7ro1 type ifindex permit 4
filter-definition all-outgoing-traffic match ip-exporter-address asd7ro3 match output-interface telia-if-asd7ro3 or match ip-exporter-address asd7ro3 match output-interface amsix-if-asd7ro3 or match ip-exporter-address asd10ro1 match output-interface carrier1-if-asd10ro1 or match ip-exporter-address asd10ro1 match output-interface globalx-if-asd10ro1 or match ip-exporter-address asd7ro1 match output-interface tsystems-if-asd7ro1 or match ip-exporter-address asd7ro1 match output-interface carrier1-if-asd7ro1
filter-definition all-incoming-traffic match ip-exporter-address asd7ro3 match input-interface telia-if-asd7ro3 or match ip-exporter-address asd7ro3 match input-interface amsix-if-asd7ro3 or match ip-exporter-address asd10ro1 match input-interface carrier1-if-asd10ro1 or match ip-exporter-address asd10ro1 match input-interface globalx-if-asd10ro1 or match ip-exporter-address asd7ro1 match input-interface tsystems-if-asd7ro1 or match ip-exporter-address asd7ro1 match input-interface carrier1-if-asd7ro1
filter-definition inter-backbone match ip-exporter-address asd7ro1 match output-interface fa5-0-0-asd7ro1 or match ip-exporter-address asd7ro3 match output-interface fa2-0-asd7ro3 or match ip-exporter-address asd7ro3 match output-interface po1-0-asd7ro3 or match ip-exporter-address asd10ro1 match output-interface po10-1-0-asd10ro1
<<flow-export.png>>
#***************************************************************************
#
# Dit e-mailbericht met eventuele attachments is uitsluitend bestemd voor de
# geadresseerde(n) en bevat mogelijk vertrouwelijke gegevens en/of is
# beschermd door intellectuele eigendomsrechten. Bent u niet de
# geadresseerde, neemt u dan zo spoedig mogelijk contact op met de afzender
# en verzoeken wij u het e-mailbericht en eventuele attachments van uw
# computer te verwijderen. Elk gebruik van de inhoud van dit e-mailbericht
# en eventuele attachments (waaronder verveelvoudiging, verspreiding of het
# anderzins openbaar maken in welke vorm dan ook) door andere personen dan
# de bedoelde geadresseerden is verboden. De weergegeven mening is puur
# persoonlijk en hoeft niet noodzakelijk over een te komen met die van
# Enertel. Enertel is niet aansprakelijk voor de inhoud van dit
# e-mailbericht en eventuele attachments.
--------------------------------------------------------------------------------
_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools
_______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
