-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Adrian,
On 6/30/10 8:50, Adrian Popa wrote:
> Hello Peter,
>
> I've just upgraded to 1.6.1 and I also get a ton of these messages:
>
> Jun 30 09:41:04 localhost nfcapd[14543]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost nfcapd[14543]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost nfcapd[14750]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost nfcapd[14543]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost nfcapd[14750]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost last message repeated 6 times
> Jun 30 09:41:04 localhost nfcapd[14543]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost nfcapd[14750]: Set std sampler: algorithm: 1,
> interval: 200
> Jun 30 09:41:04 localhost last message repeated 2 times
>
>
> From what I understand, the collector automatically adjusts its sampling
> rate from what it learns in the packets. I have some plugins that used to do
> manual correction of the values returned by nfdump (multiplying pps by the
> sampling rate for instance). Now I am getting verry large values from my
> plugins - I'd like to ask this to be clear - when sampling is configured (or
> detected) in nfsen, the output of all nfdump commands is automatically
> "corrected" with that sample rate, right?
nfcapd adjust the packets and bytes counter by the value of the sampling rate.
Flows are not adjusted, as this is a non predictable value.
If you want to go back to your "manual adjustment" use '-s -1' to force
nfcapd to set the sampling rate to 1.
>
> Thanks,
> Adrian
>
> Oh, one more thing - is there an easy way to suppress the logging messages
> from "Set std sampler", because they're clobbering my logs? I guess I can
> comment out the logging line from the code - but I want to know if it is
> selectable in the configuration.
Obviously the router sends the sampling rates rather often. The message is
looged
log_info. So either set the syslog level to a higher value than info, or comment
the logging out in the code: netflow_v9.c line 1443.
- Peter
>
> On Wed, Jun 30, 2010 at 9:16 AM, Peter Haag <[email protected]> wrote:
>
> Hi Chip,
>
>
> On 6/29/10 19:19, Pleasants, Chip wrote:
>>>> Hi Peter.
>>>>
>>>> Thank you very much for assistance. Is there any way I tell its being
>>>> set? When I start nfsen the -s option doesn't appear in the command
>>>> output, but I do see the messages below in the logs.
>
> Yes - in nfsen.conf in the %sources definitions. Add -s as I described in
> my ealier mail. ( optarg => .... )
> These args are directly passed to nfcapd.
>
>>>>
>>>> Jun 24 15:10:44 server-1 nfcapd[22284]: Process_v9: New std sampler at
>>>> offsets: interval: 1, algorithm: 0
>>>> Jun 24 15:10:44 server-1 nfcapd[22284]: Set std sampler: algorithm: 1,
>>>> interval: 100
>>>>
>>>> The second one I see about every minute. Would this be the router
>>>> telling nfcapd what the sample rate is? Looks to be that way after
>>>> changing the sample rate on the router a couple different times.
>
> Yes - nfcapd does automatically recognise the sampling rate. The -s option
> is only meant for those router software
> releases, which don't do that, although sampling is configured.
>
> o You can preset the sampling rate for nfcapd by setting the -s option.
> o If sampling is announced from the router - this values overwrite the
> given -s
> o hard core: setting -s -<rate> ( add minus sign ) locks the sampling rate
> for nfcapd, regardless what the device announces.
>
> This should hopefully fit for every setup.
>
> - Peter
>
>>>>
>>>> If it is being set I'm seeing a little higher usage than the actual
>>>> usage. Is that to be expected?
>>>>
>>>> Thanks again for you help,
>>>>
>>>> -Chip
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Peter Haag [mailto:[email protected]]
>>>> Sent: Thursday, June 24, 2010 3:05 PM
>>>> To: Pleasants, Chip
>>>> Cc: [email protected]
>>>> Subject: Re: [Nfsen-discuss] sampling
>>>>
>>>>
>>>>
>>>> On 6/23/10 20:24, Pleasants, Chip wrote:
>>>>> Hi all,
>>>>
>>>>
>>>>
>>>>> Could someone direct me how to set the -s option in the nfsen.conf?
>>>>
>>>> use optarg => '-s 256' for example to set the rate accordingly.
>>>>
>>>>> Also I see the default -s value is 1. Could someone also clarify if
>>>> this
>>>>> 1% and if my sample rate and this value need to be the same?
>>>>
>>>> It's the sampling rate. See nfcapd(1) for the details.
>>>>
>>>> - Peter
>>>>
>>>>
>>>>
>>>>> Thanks,
>>>>
>>>>> Chip
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> ------
>>>>> ThinkGeek and WIRED's GeekDad team up for the Ultimate
>>>>> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
>>>>> lucky parental unit. See the prize list and enter to win:
>>>>> http://p.sf.net/sfu/thinkgeek-promo
>>>>
>>>>
>>>>
>>>>> _______________________________________________
>>>>> Nfsen-discuss mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>>>
>
> -
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
>>
>>
- ------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>>
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBTCrtnP5AbZRALNr/AQKmkgP8CFGlIpE8c2kkkrdlEnAC0iMqmOaYcLIR
8XL25L0P3F5+jONTJ4ml0v8ZXjySoWYnnm6X4L1a3Ei1fMuduqOlSzE2pg7ns6NS
dLYNIRwBDhYH5sy7djzw1fhPuB4DLCqCxyjll+dS2/Vo8U8q9SLjtY9ul3+/G+zU
8I7WIQxyYck=
=fkeu
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
