-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Szymon,
Yes - all 1.6b honour sampling information included in flow records.
By default, the sampling rate is set to 1 (unsampled) or to any
given value specified by the -s cmd line option. If sampling
information is found in the netflow stream, it overwrites the
default value.
Sampling is automatically recognised when announced in v9
option templates (tags #48, #49, #50 ) or in the unofficial v5
header hack.
Note: Not all platforms (or IOS versions) support exporting sampling
information in netflow data, even if sampling is configured.
The number of bytes/packets in each netflow record is automatically
multiplied by the sampling rate. The total number of flows is not
changed as this is not accurate enough. (Small flows versus large flows)
If you check the syslog daemon file, you see, if sampling has been recognised:
New exporter: engine id 5, type 0, IP: x.x.x.x, Sampling Mode: 2, Sampling
Interval: 128
I still take feedback from 1.6b testers for any issues found in 1.6b.
Hope this helps.
- Peter
Szymon Trocha wrote:
> Peter Haag pisze:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Dear all,
>> I just uploded another nfdump 1.6 snapshot for testing.
>> The feature list for final 1.6 is now complete. Any feedback
>> from tester is welcomed to address bugs to be fixed for final 1.6.
>>
>> Please not: The documentation is not yet fully updated.
>>
>> Changelog to last snapshot:
>> o Add srcmask and dstmask aggregation
>> o Add cvs output mode. -o cvs
>> o Fix some bugs of previous beta
>> o Add bidirectional aggregation of flows ( -b, -B )
>> o Add possibility to save aggregated flows into file ( -w )
>> Note: This results in a behaviour change for -w in combination
>> with aggregation )
>> o Extend -N ( do not scale numbers ) to all text output not just summary
>> o Make extension handling more robust for some moody IOSes.
>> o Remove header lines of -s stat, when using -q ( quiet )
>> Note: This results in a behaviour change for -N
>> o Remove -S option from nfdump ( legacy 1.4 compatibility )
>> o Make use of log (syslog) functions for nfprofile.
>> o Move log functions to util.c
>
> Hi Peter,
>
> In June you mentioned NetFlow sampling had been added to 1.6b. Is this
> still valid or was changed?
>
> Can you elaborate a bit more how this sampling is taken into account by
> nfdump?
>
> Regards,
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSvEmEf5AbZRALNr/AQI1TAP+LIosxNWTwYuVCm2qnTu7aQsfXql3pJ8Q
BBG9UkGJWaVzkxp0tB4uaO/Ur3bywhVIJUzvAGCZB8QuLZ70obpVo3VDMfVEyLcs
qZit8PrE2PUWOgIqDMEIQhqk2VS6vavOPwJGtP4s5lySC0oE8aOiSlLKRYxf22Vj
aYbjjwzra/w=
=e+cL
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
