[Nfsen-discuss] NfSen/NfDump incorrect bps calculations

Gabriela ddata1900 Tue, 15 Mar 2016 06:56:55 -0700

Hello everyone!

I need some help figuring out results presented by nfsen/nfdump.
I have one IP address that experienced excessive traffic in one 5-min
period.
But I get different results for bps from GUI/CLI.


GUI (NfSen Top 10, Stat dstip, Order by: bps, Nfdump filter: dst ip
xx.yyy.zz.qqq)

** nfdump -M /opt/nfsen/profiles-data/live/all  -T  -r
2016/03/15/nfcapd.201603151140 -n 10 -s dstip/bps
nfdump filter:
dst ip xx.yyy.zz.qqq
Top 10 Dst IP Addr ordered by bps:
Date first seen          Duration Proto       Dst IP Addr    Flows(%)
Packets(%)       Bytes(%)         pps      bps   bpp
2016-03-15 11:39:45.762   313.238 any        xx.yyy.zz.qqq    70302(100.0)
 128.5 M(100.0)  172.1 G(100.0)   410112    4.4 G  1339

Summary: total flows: 70302, total bytes: 172126514204, total packets:
128462900, avg bps: 4396057035, avg pps: 410112, avg bpp: 1339
Time window: 2016-03-15 11:37:15 - 2016-03-15 11:44:59
Total flows processed: 12297014, Blocks skipped: 0, Bytes read: 737829472
Sys: 1.366s flows/second: 8999709.5  Wall: 1.439s flows/second: 8543983.7

CLI (nfdump):

[root@analyzer ~]]# /opt/nfdump/bin/nfdump -r
/opt/nfsen/profiles-data/live/all/2016/03/15/nfcapd.201603151140 -n 10 -s
dstip/bps -o csv 'dst ip xx.yyy.zz.qqq'
ts,te,td,pr,val,fl,flP,ipkt,ipktP,ibyt,ibytP,ipps,ipbs,ibpp
2016-03-15 11:39:45,2016-03-15
11:44:59,313.238,any,xx.yyy.zz.qqq,70302,100.0,128462900,100.0,172126514204,100.0,410112,101089739,1339

Summary
flows,bytes,packets,avg_bps,avg_pps,avg_bpp
70302,172126514204,128462900,4396057035,410112,1339


CLI (nfdump):

[root@analyzer ~]]# /opt/nfdump/bin/nfdump -N -r
/opt/nfsen/profiles-data/live/all/2016/03/15/nfcapd.201603151140 -a -A
dstip -o "fmt:%ts%te%td%da%pkt%byt%fl%bps%pps%bpp" 'dst ip xx.yyy.zz.qqq'
Date first seen        Date last seen          Duration     Dst IP Addr
 Packets   Bytes       Flows     bps     pps   Bpp
2016-03-15 11:39:45.7622016-03-15 11:44:59.000  313.238    xx.yyy.zz.qqq
128462900 172126514204 70302   4396057035  410112  1339
Summary: total flows: 70302, total bytes: 172126514204, total packets:
128462900, avg bps: 4396057035, avg pps: 410112, avg bpp: 1339
Time window: 2016-03-15 11:37:15 - 2016-03-15 11:44:59
Total flows processed: 12297014, Blocks skipped: 0, Bytes read: 737829472
Sys: 1.374s flows/second: 8945989.5  Wall: 1.371s flows/second: 8965563.1

So, if you look closely, all outputs show same values for all summary
stats, but in per IP stats ipbs in second output is not correct (btw.
shouldn't that be ibps?).
If you calculate bps as bytes*8/duration, you get excactly 4396057035, or
4,4 Gbps.
I have also noticed that in case of bps, kbps and Mbps that field shows
correct values.
I do not have a single clue what's going on here. Am I maybe missing
something?

If helpful, versions are:
nfsen 1.3.6p1
nfdump 1.6.13

Thanks in advance,
Gabriela

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140

_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

[Nfsen-discuss] NfSen/NfDump incorrect bps calculations

Reply via email to