Re: [Nfdump-discuss] Double counting with pfsense and softflowd

Sat, 21 Nov 2015 04:16:37 -0800 

Hi Garrett,
I'm not aware of a problem with softflowd. The records btw are around 7s apart 
- so it looks unlikely, that it is the
same same flow.
If you do not have nsel records you may use the std formats to display the 
records e.g. -o line

If you can not get arount this, I need to check with pfsense.

Cheers

        - Peter

On 20.11.15 17:39, Garrett Burke wrote:
> All,
> 
> I'm using pfSense 2.2.4 with softflowd 1.2.1 exporting Netflow v5 packets to 
> nfsen with nfdump: Version: NSEL-NEL1.6.11 and I'm seeing double counting of 
> the bps.
> 
> If I generate a 10Mbps flow through the pfSense firewall with iperf, it's 
> being displayed as 20Mbps.  The pfSense counters show it correctly as 10Mbps.
> 
> It looks like softflowd is sending the records twice, as I see the following 
> in the nfcapd files:
> 
> # nfdump -r nfcapd.201511201555
> Date first seen          Event  XEvent Proto      Src IP Addr:Port          
> Dst IP Addr:Port     X-Src IP Addr:Port        X-Dst IP Addr:Port   In Byte 
> Out Byte
> 2015-11-20 15:50:22.588 IGNORE  Ignore UDP      172.22.37.250:55138 ->       
> 128.18.1.1:5001           0.0.0.0:0     ->          0.0.0.0:0      382.7 M    
>     0
> 2015-11-20 15:50:29.099 IGNORE  Ignore UDP      172.22.37.250:55138 ->       
> 128.18.1.1:5001           0.0.0.0:0     ->          0.0.0.0:0      386.5 M    
>     0
> 
> Has anyone else seen this?
> 
> Is there a way to get nfsen/nfdump to ignore the duplicates (if that is what 
> they are)?
> 
> Thks,
> GB
> 
> --
> Garrett Burke
> VP Engineering
> Egenera Inc. | Converge. Unify. Simplify.�
> 00-353-1-9022868 (office)
> 
> http://www.egenera.com
> http://blog.egenera.com
> http://www.facebook.com/#!/pages/Egenera/74312707811
> http://twitter.com/#!/Egenera
> http://www.linkedin.com/company/7909?trk=tyah
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> Nfdump-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 

-- 
Be nice to your netflow data. Use NfSen and nfdump :)


------------------------------------------------------------------------------

_______________________________________________
Nfdump-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to