-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Robin,
I can not really tell you what could be wrong. The number we see, seem
pretty what we expect. Maybe a few remarks on how the numbers are generated.
The statistics is created for every 5 min slot according the accumulated values
from the flows, exported during that 5 min timeslot. The accumulated byte
counter from all flows is
divided by 300s to get the average bps for that time slot. This is also the
value pumped into the
RRD DB for creating the graphs. Scaling of RRD and the values in the stat table
are 1K = 1000 as of
snapshot 20070312.
If your flows are sampled, then your values may be ways off, as sampling is not
(yet) taken into
account. The rough guess is a multiplication with the sampling rate.
The error you see in your log file does not do any harm. It simply says, that
there was 1 sequence
error during the last 5 minutes when collecting the flow data. So 1 packet was
missing in that flow
sequence. If you take the Bytes count and divide it by 300, you get the average
bps value.
- Peter
- --On May 9, 2007 11:44:16 -0400 "Brown, Robin" <[EMAIL PROTECTED]> wrote:
| I was using flow-capture/flowscan, but it couldn't keep up. Flowscan
| took longer than 5 minutes to process the flow file so by the end of the
| day it got really far behind. But the data that was reported in bps was
| very close to the interface stats pulled via snmp.
|
| I'm trying nfdump/nfsen and the numbers are way off. I am not exporting
| flows from a router, I have fprobe running and converting span traffic
| to flows and sending those to the server running nfdump/nfsen. This was
| the same configuration when I was using the flow-tools suite, fprobe to
| the server running flow-capture and flowscan. The bps shown in the
| graphs generated by nfdump/nfsen are not even close to the interface
| stats.
|
| I'm using nfdump-snapshot-20070312 and nfsen-snapshot-20070312. Am I
| missing something? Do I need to tweak something? I like nfdump/nfsen
| it is faster when searching thru flow data. I'm just not sure I'm
| seeing accurate data right now.
|
| The only errors in the log are an occasional sequence error:
| /usr/local/bin/nfcapd[12071]: Ident: 'ehprobe2' Flows: 3558830, Packets:
| 28941156, Bytes: 6628366421, Sequence Errors: 1, Bad Packets: 0
|
| Would that be enough to cause this issue? I'm probably also dropping
| some flows but I was b4 with flow-tools and the numbers were not this
| far off.
|
| Any assistance will be appreciated.
|
| Regards,
| Robin
|
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by DB2 Express
| Download DB2 Express C - the FREE version of DB2 express and take
| control of your XML. No limits. Just data. Click to get it now.
| http://sourceforge.net/powerbar/db2/
| _______________________________________________
| Nfdump-discuss mailing list
| Nfdump-discuss@lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRkLjGv5AbZRALNr/AQLbMAQAmYPUV9SxrwZN/bNdM6cZwAHzWeFh/5Xd
OGkGMBa/BpAJhba1hkT5tPmBWx13PUun6ZORKzrkTgIqrd5ljRn8JNPXgPjlVG4O
vENy2jIMAURTyXbxOF5jy9v0fNff/QHNpujADVut8Y2dhL5YzHD+zqYPgEgOMEdm
aGxGF0P2g6c=
=wZ7y
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
