Jacky - OK so it looks like sampling is responsible for the difference between MRTG and flow-tools, but I'm surprised the 'multiplier' varies so much. My experience has had them closer. Maybe you can play with the sampling parameters on your routers.
Though at the traffic levels you're talking about, I wouldn't sample at all. It's not a very heavy load, and you'll be happier with the results. You don't have to change the ft file times. Joe From: Jacky Chan <[email protected]> To: Joe Loiacono/USA/c...@csc Cc: [email protected] Date: 05/04/2010 11:30 AM Subject: Re: [Flow-tools] Flow-stat vs MRTG HI Joe, My ft file is 5 minutes long (the stat interval is 5). Both my Juniper and Cisco do sampling and packet-interval is 100. For this case, I need to change the ft file to 15 minutes long? on the other hand, I am not sure how to calculate the "multipliers". Regards, Jacky On Tue, May 4, 2010 at 9:08 PM, Joe Loiacono <[email protected]> wrote: When you apply flow-stat to a single ft file, you're getting the average rate over the length of time associated with the file. My ft files are typically 15 minutes long. If we assume yours are 15 minutes also, you are comparing a 15 minute average with an MRTG 5-minute SNMP sample of all bytes (including IP and TCP headers.) Looking at sampling as a possibility, here are the 'multipliers': 110/0.293 = 375 136/0.323 = 421 24/0.225 = 107 96/1.462 = 66 They're not consistent. But if you create an MRTG number from the average of the three readings that make up the 15 minute netflow period, you might find a consistent multiplier. But - you could first just check to see if you're sampling on the Juniper :-) By the way - have you checked out FlowViewer as a web interface to flow-tools? http://ensight.eos.nasa.gov/FlowViewer/ Joe From: Jacky Chan <[email protected]> To: [email protected] Date: 05/04/2010 01:52 AM Subject: [Flow-tools] Flow-stat vs MRTG Dear Sir, I have flow-tools 0.68 running on a Fedora Core 11 workstation and the system collecting flow-data from Juniper and Cisco routers. I tried obtain the link utilization from the flow-stat output but there is big different when compared to MRTG reading. Example-1 I have a GE link from my Juniper router to INTERNET upstream-1 >From MRTG, the average input / output speed @ 21:00 are 110Mbps/ 136Mbps. >From Flow-stat, the input/ output speed @21:00 are 292.6613Kbps/ 323.1716Kbps. Example-2 I have a GE link from my Cisco router to INTERNET upstream-2 >From MRTG, the average input / output speed @ 21:00 are 24Mbps/ 96Mbps. >From Flow-stat, the input/ output speed @21:00 are 225.0744Kbps/ 1462.7255Kbps. Here are the commands I used to obtain the link utilization from the flow-data. I did something wrong or misused the flow-stat application? flow-cat ft-v05-2010-05-03.210000+0800 | flow-filter -e JUNIPER-IP -i116 | flow-stat flow-cat ft-v05-2010-05-03.210000+0800 | flow-filter -e JUNIPER-IP -I116 | flow-stat flow-cat ft-v05-2010-05-03.210000+0800 | flow-filter -e CISCO-IP -i13 | flow-stat flow-cat ft-v05-2010-05-03.210000+0800 | flow-filter -e CISCO-IP -I13 | flow-stat -- Jacky :)_______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools -- Jacky Chan :)
_______________________________________________ Flow-tools mailing list [email protected] http://mailman.splintered.net/mailman/listinfo/flow-tools
