Re: [Flow-tools] Experiences with netflow from Junipers

Mon, 05 Jun 2006 11:00:19 -0700


Actually it was to fix the bogus packets problem. I can't recall the details, but perhaps they are related.

Joe


Mike Hunter <[EMAIL PROTECTED]>

06/05/2006 01:26 PM

To
Joe Loiacono/CIV/[EMAIL PROTECTED]
cc
Flow-tools Mailing List <[EMAIL PROTECTED]>
Subject
Re: [Flow-tools] Experiences with netflow from Junipers





Thanks for your reply.  Just to clarify, does the fix below address the
long flow problem or the 0-byte flows problem?  (I'm assuming the long
flow problem.)

Thanks,

Mike

On May 30 at 09:38, "Joe Loiacono" wrote:

> We had the same problem. As I recall it was resolved by:
>
> > Removal of
> >
> > flow-inactive-timeout 15;
> > flow-active-timeout 60;
> >
> > from the Juniper config seems to have fixed the problem as a temporary
> > (?) work around.
>
> Joe
>
>
>
> Mike Hunter <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 05/23/2006 01:53 PM
>
> To
> Flow-tools Mailing List <[EMAIL PROTECTED]>
> cc
>
> Subject
> [Flow-tools] Experiences with netflow from Junipers
>
>
>
>
>
>
> Hey Team,
>
> We've installed some new fancy Juniper routers here at UCB.  The netflow
> experience has been pretty good so far, but I thought I'd share some
> wrinkles in case people come up against them in the future.
>
> The new routers are of vintage:
>
> Model: m7i
> JUNOS Base OS boot [7.4R1.7]
>
> I've had two problems with them.  Problem number 1 was really long flows,
> like 4 or 6 hours.  There's a knob that is supposed to expire flows after
> a set amount of time, but twisting the knob didn't stop the long flows :(
>
> The second problem was identified today; I got some wacky flows from the
> Juniper that have 0 packets and octets:
>
> Start             End               Sif   SrcIPaddress    SrcP  DIf
> DstIPaddress    DstP    P Fl Pkts       Octets
>
> 0521.23:12:55.315 0521.23:28:07.795 55    169.229.123.123  32862 56
> 192.58.123.123    53    17  0  0          0
>
> That causes flow-stat to freak out a bit:
>
> ...
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> Ignoring bogus flow dPkts=0
> ...
>
> Does anybody have a strong opinion about writing logic into flow-capture
> to discard such flows?  I'm not offering a patch, just trying to spur
> debate :)
>
> Mike
> _______________________________________________
> Flow-tools mailing list
> [EMAIL PROTECTED]
> http://mailman.splintered.net/mailman/listinfo/flow-tools
> 

_______________________________________________
Flow-tools mailing list
[EMAIL PROTECTED]
http://mailman.splintered.net/mailman/listinfo/flow-tools

Reply via email to