Re: [Nfsen-discuss] Values corrected by sampling are too big

Wed, 30 Jun 2010 03:07:29 -0700 

Update: setting sample-rate to -1 didn't seem to help, so I temporarly
downgraded nfsen to its previous version (God knows what I might have broken
now...), because this is a production system and I need it up and running.

On Wed, Jun 30, 2010 at 12:36 PM, Adrian Popa <[email protected]>wrote:

> Hello,
>
> I've just upgraded to nfdump 1.6.1 and I noticed big differences in the
> data saved in nfdump and the data actually on the network.
>
> Here's my analysis on one router:
> * sample rate advertised in the netflow packets: 200
> * sample rate configured on the device: 200 (ip flow-sampling-mode
> packet-interval 200)
> * sample rate configured manually in %sources: 200 ( 'router1' => { 'port'
> => '9911', 'col' => '#99ff99', 'type' => 'netflow', 'optarg' => '-s -200'
> },)
>
> The problem is if I run this top, for instance (over 2M packets):
>
> [r...@hail ~]# nfdump -r
> /data/nfsen/profiles/live/router1/nfcapd.201006301125 -n 200 -s ip/pps -l 2M
> 'ip 89.122.71.48 and if 38'
> Packet limit: > 2000000 packets
> Top 200 IP Addr ordered by pps:
> Date first seen          Duration Proto           IP Addr    Flows(%)
> Packets(%)       Bytes(%)         pps      bps   bpp
> 2010-06-30 11:21:17.720   302.532 any        89.122.71.48
> 5(100.0)    3.9 G(100.0)    1.8 G(100.0)   12.9 M   47.2 M     0
> 2010-06-30 11:21:17.720   302.532 any        78.90.151.12        1(20.0)
> 3.9 G(100.0)    1.8 G(100.0)   12.9 M   47.2 M     0
>
> Summary: total flows: 5, total bytes: 1.8 G, total packets: 3.9 G, avg bps:
> 47.2 M, avg pps: 12.9 M, avg bpp: 0
> Time window: 2010-06-30 11:21:17 - 2010-06-30 11:26:20
> Total flows processed: 820516, Blocks skipped: 0, Bytes read: 42667452
> Sys: 0.092s flows/second: 8824270.8  Wall: 0.091s flows/second: 8966702.0
> You have new mail in /var/spool/mail/root
>
>
> I get something like 13 million pps on one interface (just for that IP). I
> have attached a graph of total pps on that interface (ifindex 38) and you
> can see that it never goes over 1.4M pps.
>
> How can I troubleshoot this sampling issue?
> For now, I will set sampling to -1 and do the correction elsewhere, but I
> would like to solve it.
>
> Regards,
> Adrian
>
>
>

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to