Hello Peter,
I managed to install the new version + your patch on a test system and I
confirm that now the nfcapd processes start with the manual sampling
setting.
[r...@syslog_telco bin]# ./nfsen start
Starting nfcapd:(router1)
Run: /usr/local/bin/nfcapd -w -D -p 9911 -u netflow -g apache -B 200000 -P
/data/nfsen/var/run/router1.pid -I router1 -l
/data/nfsen/profiles-data/live/router1 -s -1
[24471]
Starting nfsend.
[r...@syslog_telco bin]# ps -ef | grep nfcapd
netflow 24471 1 0 11:19 ? 00:00:00 /usr/local/bin/nfcapd -w -D
-p 9911 -u netflow -g apache -B 200000 -P /data/nfsen/var/run/router1.pid -I
router1 -l /data/nfsen/profiles-data/live/router1 -s -1
I will also try to see if setting sampling to -1 fixes my previous issues.
Regards,
Adrian
On Thu, Jul 1, 2010 at 9:32 AM, Peter Haag <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> NfSen-1.3.3 did miss optargs. Those using NfSen-1.3.3 and have optargs
> configured in %sources, please apply the patch
> appended to libexec/NfSenRC.pm.
>
> Sorry folks for the inconvenience!
>
> - Peter
>
> On 6/30/10 12:05, Adrian Popa wrote:
> > Update: setting sample-rate to -1 didn't seem to help, so I temporarly
> > downgraded nfsen to its previous version (God knows what I might have
> broken
> > now...), because this is a production system and I need it up and
> running.
> >
> > On Wed, Jun 30, 2010 at 12:36 PM, Adrian Popa <[email protected]
> >wrote:
> >
> >> Hello,
> >>
> >> I've just upgraded to nfdump 1.6.1 and I noticed big differences in the
> >> data saved in nfdump and the data actually on the network.
> >>
> >> Here's my analysis on one router:
> >> * sample rate advertised in the netflow packets: 200
> >> * sample rate configured on the device: 200 (ip flow-sampling-mode
> >> packet-interval 200)
> >> * sample rate configured manually in %sources: 200 ( 'router1' => {
> 'port'
> >> => '9911', 'col' => '#99ff99', 'type' => 'netflow', 'optarg' => '-s
> -200'
> >> },)
> >>
> >> The problem is if I run this top, for instance (over 2M packets):
> >>
> >> [r...@hail ~]# nfdump -r
> >> /data/nfsen/profiles/live/router1/nfcapd.201006301125 -n 200 -s ip/pps
> -l 2M
> >> 'ip 89.122.71.48 and if 38'
> >> Packet limit: > 2000000 packets
> >> Top 200 IP Addr ordered by pps:
> >> Date first seen Duration Proto IP Addr Flows(%)
> >> Packets(%) Bytes(%) pps bps bpp
> >> 2010-06-30 11:21:17.720 302.532 any 89.122.71.48
> >> 5(100.0) 3.9 G(100.0) 1.8 G(100.0) 12.9 M 47.2 M 0
> >> 2010-06-30 11:21:17.720 302.532 any 78.90.151.12 1(20.0)
> >> 3.9 G(100.0) 1.8 G(100.0) 12.9 M 47.2 M 0
> >>
> >> Summary: total flows: 5, total bytes: 1.8 G, total packets: 3.9 G, avg
> bps:
> >> 47.2 M, avg pps: 12.9 M, avg bpp: 0
> >> Time window: 2010-06-30 11:21:17 - 2010-06-30 11:26:20
> >> Total flows processed: 820516, Blocks skipped: 0, Bytes read: 42667452
> >> Sys: 0.092s flows/second: 8824270.8 Wall: 0.091s flows/second:
> 8966702.0
> >> You have new mail in /var/spool/mail/root
> >>
> >>
> >> I get something like 13 million pps on one interface (just for that IP).
> I
> >> have attached a graph of total pps on that interface (ifindex 38) and
> you
> >> can see that it never goes over 1.4M pps.
> >>
> >> How can I troubleshoot this sampling issue?
> >> For now, I will set sampling to -1 and do the correction elsewhere, but
> I
> >> would like to solve it.
> >>
> >> Regards,
> >> Adrian
> >>
> >>
> >>
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > This SF.net email is sponsored by Sprint
> > What will you do first with EVO, the first 4G phone?
> > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> >
> >
> >
> > _______________________________________________
> > Nfsen-discuss mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
> - --
> _______ SWITCH - The Swiss Education and Research Network ______
> Peter Haag, Security Engineer, Member of SWITCH CERT
> PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
> SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
> E-mail: [email protected] Web: http://www.switch.ch/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
>
> iQCVAwUBTCw2Y/5AbZRALNr/AQJPLAP9H83kf3kbGJ6MFsXGugFJaQ5uwz02ejpl
> qJvT+RJxTtZT7wN/fNE66SPhviTLHKVtOcSiK4XIitoWTBlp5tIfzx8m3c+4ZXAj
> DDFEgpRATD6mJwTLXZEeqnIT4ARpWtjn0c169asOj/vxPwGUFC9Hb3vVJYKJlZ+W
> 9plONqRPLjQ=
> =Ms5X
> -----END PGP SIGNATURE-----
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
