Interesting, I'll see if the SRX can do something similar. Thanks for the info!
From: theodore e van iderstine [mailto:[email protected]] Sent: Thursday, June 16, 2011 09:49 AM To: [email protected] <[email protected]> Subject: Re: [Ntop] Juniper sFlow configuration On Thu, 2011-06-16 at 12:00 +0200, [email protected] wrote: Message: 1 Date: Wed, 15 Jun 2011 20:43:21 -0500 From: Gary Gatten <[email protected]<mailto:[email protected]>> To: "'[email protected]<mailto:[email protected]>'" <[email protected]<mailto:[email protected]>> Subject: [Ntop] Juniper *flow and ntop Message-ID: <23403_1308188603_4df95fbb_23403_3_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com<mailto:23403_1308188603_4df95fbb_23403_3_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com>> Content-Type: text/plain; charset="us-ascii" Anyone using Juniper and nTop "successfully" care to share their configs? Specifically I have SRX 240's that APPEAR to export Netflow v5 records, HOWEVER, I can not say this with much certainty at this point. nTop configured to receive the SRX flow info with a netflow listener SEEMS OK, while an sflow listener dies a horrible death. Anyway, although ntop processes the data OK at this point, there's the whole sampling / scaling issue. Juniper recommends sampling at 1/100 and prefers 1/1000, so at this point I'm guessing ntop is off by a factor of 100'ish (100 is my current sampling rate) Any tips / guidance appreciated. G --snip-- - Message: 2 Date: Wed, 15 Jun 2011 20:58:24 -0500 From: Gary Gatten <[email protected]<mailto:[email protected]>> To: "'[email protected]<mailto:[email protected]>'" <[email protected]<mailto:[email protected]>> Subject: [Ntop] *flow sampling / scaling Message-ID: <12141_1308189505_4df96341_12141_8502_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com<mailto:12141_1308189505_4df96341_12141_8502_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com>> Content-Type: text/plain; charset="us-ascii" I just started messing with sflow and jflow (netflow?) and I have what seems to be a question back to 2005'ish. How to get ntop to .... multiply / scale the packet info received from a sampling device using sflow / jflow / whatever such that the displayed data reflects something as close to real world as possible. I don't want to get into a debate about if sampling is "accurate" and what not. What I do want to solve is: if ntop only sees 1 of n packets (or flow record has 1 of n packets), what does ntop do with it? Obviously if ntop doesn't account for the sampling somehow, ntop reports will be off my apx. R, where R is the sampling rate; such as 100, 1000, etc. This is not good. But, can ntop simply multiply some (all?) values in the *flows by R? Any thoughts on this would be great. I know a particular person with initials RJ that's been playing with sflow and rrd, perhaps he has some insight? G Here's my configuration (from an EX4200 running 10.4R3.4: if you are running an earlier version, the sample-rate was a single value that controlled both ingress and egress. It has been expanded to allow separate sampling rates. I haven't actually verified that the counts received by nTop exactly match those of the interfaces themselves, but I did compare the traffic reported by ge-0/0/0.0 with the ifstats on my openFiler SAN (some time ago,) and they looked accurate. I just assumed that nTop and JUNOS were functioning as designed... My nTop config for sflow follows my JUNOS protocol configuration. protocols { sflow { polling-interval 20; sample-rate { ingress 100; egress 100; } collector 192.168.x.y { #my nTop server ip udp-port 6343; } interfaces ge-0/0/0.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/1.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/2.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/3.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } } } +++++++++++++++++++++++++++++++++++++++++++ sFlow device: sFlow-device.2 Flow Collector Local udp port: 6343 virtual sflow addr: 192.168.x.0/255.255.255.0 # x is the same as 'x' above in the collector ip definedin JUNOS Filtering (none) Debug: off <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
