-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
NfSen-1.3.3 did miss optargs. Those using NfSen-1.3.3 and have optargs
configured in %sources, please apply the patch
appended to libexec/NfSenRC.pm.
Sorry folks for the inconvenience!
- Peter
On 6/30/10 12:05, Adrian Popa wrote:
> Update: setting sample-rate to -1 didn't seem to help, so I temporarly
> downgraded nfsen to its previous version (God knows what I might have broken
> now...), because this is a production system and I need it up and running.
>
> On Wed, Jun 30, 2010 at 12:36 PM, Adrian Popa <[email protected]>wrote:
>
>> Hello,
>>
>> I've just upgraded to nfdump 1.6.1 and I noticed big differences in the
>> data saved in nfdump and the data actually on the network.
>>
>> Here's my analysis on one router:
>> * sample rate advertised in the netflow packets: 200
>> * sample rate configured on the device: 200 (ip flow-sampling-mode
>> packet-interval 200)
>> * sample rate configured manually in %sources: 200 ( 'router1' => { 'port'
>> => '9911', 'col' => '#99ff99', 'type' => 'netflow', 'optarg' => '-s -200'
>> },)
>>
>> The problem is if I run this top, for instance (over 2M packets):
>>
>> [r...@hail ~]# nfdump -r
>> /data/nfsen/profiles/live/router1/nfcapd.201006301125 -n 200 -s ip/pps -l 2M
>> 'ip 89.122.71.48 and if 38'
>> Packet limit: > 2000000 packets
>> Top 200 IP Addr ordered by pps:
>> Date first seen Duration Proto IP Addr Flows(%)
>> Packets(%) Bytes(%) pps bps bpp
>> 2010-06-30 11:21:17.720 302.532 any 89.122.71.48
>> 5(100.0) 3.9 G(100.0) 1.8 G(100.0) 12.9 M 47.2 M 0
>> 2010-06-30 11:21:17.720 302.532 any 78.90.151.12 1(20.0)
>> 3.9 G(100.0) 1.8 G(100.0) 12.9 M 47.2 M 0
>>
>> Summary: total flows: 5, total bytes: 1.8 G, total packets: 3.9 G, avg bps:
>> 47.2 M, avg pps: 12.9 M, avg bpp: 0
>> Time window: 2010-06-30 11:21:17 - 2010-06-30 11:26:20
>> Total flows processed: 820516, Blocks skipped: 0, Bytes read: 42667452
>> Sys: 0.092s flows/second: 8824270.8 Wall: 0.091s flows/second: 8966702.0
>> You have new mail in /var/spool/mail/root
>>
>>
>> I get something like 13 million pps on one interface (just for that IP). I
>> have attached a graph of total pps on that interface (ifindex 38) and you
>> can see that it never goes over 1.4M pps.
>>
>> How can I troubleshoot this sampling issue?
>> For now, I will set sampling to -1 and do the correction elsewhere, but I
>> would like to solve it.
>>
>> Regards,
>> Adrian
>>
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
>
>
>
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBTCw2Y/5AbZRALNr/AQJPLAP9H83kf3kbGJ6MFsXGugFJaQ5uwz02ejpl
qJvT+RJxTtZT7wN/fNE66SPhviTLHKVtOcSiK4XIitoWTBlp5tIfzx8m3c+4ZXAj
DDFEgpRATD6mJwTLXZEeqnIT4ARpWtjn0c169asOj/vxPwGUFC9Hb3vVJYKJlZ+W
9plONqRPLjQ=
=Ms5X
-----END PGP SIGNATURE-----
NfSenRC.patch
Description: application/applefile
NfSenRC.patch.sig
Description: Binary data
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
