Hey Juniper gurus, I'm trying to make sense of some cflow records being generated by a T640. There T640s are doing cflow export, both with two equal cost interfaces towards the flow collection / fanout box.
I've done some tcpdumps, it took a little while to spot this but the following is happening. I see two interleaved sets of flow packet batches. One set has sequence numbers beginning with 8 and the other beginning with 2. All arriving in the correct order. So we have 60-70 packets in a row with seq 8xxxxxxx 60-70 packets in a row with seq 2xxxxxxx 60-70 packets in a row with seq 8xxxxxxx 60-70 packets in a row with seq 2xxxxxxx Each 8xxx batch follows sequentially from the previous 8xxx batch etc. and the time stamps are all in time order across all batches. It looks as though the Juniper is using a different sequence number set for each equal-cost interface it has towards the flow collector and sends one batch from each alternately. I am not sure if sequence numbers are meant to be separate sequences for each interface being monitored or whether they are aggregated together and are a sequence for the entire router. Equally, I can kind of understand that this would be a way of marking which packets are which when multiple interfaces are used, but can't you ascertain that from the flow record anyways? Can anyone provide some insight in to why two sets of sequence numbers are used? Cheers, -pete _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
