-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Mark,
This must be an effect of your netflow exporter. nfdump can only lists, what it
gets.
Everything is in one flow. This means your router does not export this flow,
because
it was active over that period of time. Check the 'active timeouts' of your
exporter.
It should also be less or equal 300s. This means, even if the flow is still
active,
it gets exported. This splits your transfer into 300s pices.
Hope this helps.
- Peter
- --On August 7, 2007 18:42:33 -0700 kaimukiq <[EMAIL PROTECTED]> wrote:
| Hello,
|
| I'm evaluating nfdump and nfsen -- many thanks to all
| those that put in the work, these utilities look
| amazing.
|
| However, I have a problem for which I'm not sure there
| is a good answer.
| I'm monitoring a T1 line over which large files are
| transferred.
| I'm finding that the large transfer is included in
| only one sample period (when the flow ends), therefore
| I'm getting inaccurate results.
|
| Here is an example:
| Date flow start Duration Proto Src IP
| Addr:Port Dst IP Addr:Port Packets Bytes
| Flows
| 2007-08-07 05:41:11.184 1345.976 TCP
| aaa.aaa.aaa.aaa:aaaaa -> bbb.bbb.bbb.bbb:bbbbb
| 149483 200.3 M 1
|
| Note that the duration of this flow is 1345 seconds.
| The sample size is the default 5 minutes (300
| seconds).
| Over the 1345 second duration, that comes out to
| around 1.1 Mbps, which is accurate.
|
| However, this entire flow shows up only in one 5
| minute sample period, such that the nfsen graph shows
| a spike of better than 5 Mbps for that sample (which
| of course is impossible for a T1 line).
|
| -----------------------------
|
| The only solution I can think of is to change my
| sample period to something much larger than 5 minutes.
| I see an option to change the interval on nfcapd, but
| I'd rather not do this.
|
| Are there any other options?
|
| Thanks,
| Mark Embrich
|
|
|
|
____________________________________________________________________________________
| Choose the right car based on your needs. Check out Yahoo! Autos new Car
Finder
| tool. http://autos.yahoo.com/carfinder/
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by: Splunk Inc.
| Still grepping through log files to find problems? Stop.
| Now Search log events and configuration files using AJAX and a browser.
| Download your FREE copy of Splunk now >> http://get.splunk.com/
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRrlpuf5AbZRALNr/AQIffAQAjCFe2e4RoWkE3MH2WAOyON/muDmFOGUE
HBIpAtBr4VIq7STT6jnjGa6m39nedQAjSn4ekOOm8XeTfafluIccGGEF5xAKCKkA
KZe/K3EmYv3m/OepFY5sCFP6EfFUYIz+Dpl6ZZGr6og7DKwBOqCxvd+REoi/6/kb
MjltQ1cItFc=
=W4kI
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
