On Thu, 2011-06-16 at 12:00 +0200, [email protected] wrote:
> Message: 1 > Date: Wed, 15 Jun 2011 20:43:21 -0500 > From: Gary Gatten <[email protected]> > To: "'[email protected]'" <[email protected]> > Subject: [Ntop] Juniper *flow and ntop > Message-ID: > > <23403_1308188603_4df95fbb_23403_3_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com> > > Content-Type: text/plain; charset="us-ascii" > > Anyone using Juniper and nTop "successfully" care to share their configs? > > Specifically I have SRX 240's that APPEAR to export Netflow v5 records, > HOWEVER, I can not say this with much certainty at this point. nTop > configured to receive the SRX flow info with a netflow listener SEEMS OK, > while an sflow listener dies a horrible death. > > Anyway, although ntop processes the data OK at this point, there's the whole > sampling / scaling issue. Juniper recommends sampling at 1/100 and prefers > 1/1000, so at this point I'm guessing ntop is off by a factor of 100'ish (100 > is my current sampling rate) > > Any tips / guidance appreciated. > > G > > --snip-- > > - > Message: 2 > Date: Wed, 15 Jun 2011 20:58:24 -0500 > From: Gary Gatten <[email protected]> > To: "'[email protected]'" <[email protected]> > Subject: [Ntop] *flow sampling / scaling > Message-ID: > > <12141_1308189505_4df96341_12141_8502_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com> > > Content-Type: text/plain; charset="us-ascii" > > I just started messing with sflow and jflow (netflow?) and I have what seems > to be a question back to 2005'ish. How to get ntop to .... multiply / scale > the packet info received from a sampling device using sflow / jflow / > whatever such that the displayed data reflects something as close to real > world as possible. > > I don't want to get into a debate about if sampling is "accurate" and what > not. What I do want to solve is: if ntop only sees 1 of n packets (or flow > record has 1 of n packets), what does ntop do with it? Obviously if ntop > doesn't account for the sampling somehow, ntop reports will be off my apx. R, > where R is the sampling rate; such as 100, 1000, etc. This is not good. > But, can ntop simply multiply some (all?) values in the *flows by R? > > Any thoughts on this would be great. I know a particular person with > initials RJ that's been playing with sflow and rrd, perhaps he has some > insight? > > G > > Here's my configuration (from an EX4200 running 10.4R3.4: if you are running an earlier version, the sample-rate was a single value that controlled both ingress and egress. It has been expanded to allow separate sampling rates. I haven't actually verified that the counts received by nTop exactly match those of the interfaces themselves, but I did compare the traffic reported by ge-0/0/0.0 with the ifstats on my openFiler SAN (some time ago,) and they looked accurate. I just assumed that nTop and JUNOS were functioning as designed... My nTop config for sflow follows my JUNOS protocol configuration. protocols { sflow { polling-interval 20; sample-rate { ingress 100; egress 100; } collector 192.168.x.y { #my nTop server ip udp-port 6343; } interfaces ge-0/0/0.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/1.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/2.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/3.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } } } +++++++++++++++++++++++++++++++++++++++++++ sFlow device: sFlow-device.2 Flow Collector Local udp port: 6343 virtual sflow addr: 192.168.x.0/255.255.255.0 # x is the same as 'x' above in the collector ip definedin JUNOS Filtering (none) Debug: off
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
