Yeah, SRX does not seem to support sflow, and the current jflow / sampled netflow is WAY off as suspected. Sure I can easily multiple some stats in ntop by 100, but would be cool if I didn't have to.
I just set my sampling rate to 1 to see what happens to my CPU, ntop stats, etc. G ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of theodore e van iderstine Sent: Thursday, June 16, 2011 9:50 AM To: [email protected] Subject: Re: [Ntop] Juniper sFlow configuration On Thu, 2011-06-16 at 12:00 +0200, [email protected] wrote: Message: 1 Date: Wed, 15 Jun 2011 20:43:21 -0500 From: Gary Gatten <[email protected]<mailto:[email protected]>> To: "'[email protected]<mailto:[email protected]>'" <[email protected]<mailto:[email protected]>> Subject: [Ntop] Juniper *flow and ntop Message-ID: <23403_1308188603_4df95fbb_23403_3_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com<mailto:23403_1308188603_4df95fbb_23403_3_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com>> Content-Type: text/plain; charset="us-ascii" Anyone using Juniper and nTop "successfully" care to share their configs? Specifically I have SRX 240's that APPEAR to export Netflow v5 records, HOWEVER, I can not say this with much certainty at this point. nTop configured to receive the SRX flow info with a netflow listener SEEMS OK, while an sflow listener dies a horrible death. Anyway, although ntop processes the data OK at this point, there's the whole sampling / scaling issue. Juniper recommends sampling at 1/100 and prefers 1/1000, so at this point I'm guessing ntop is off by a factor of 100'ish (100 is my current sampling rate) Any tips / guidance appreciated. G --snip-- - Message: 2 Date: Wed, 15 Jun 2011 20:58:24 -0500 From: Gary Gatten <[email protected]<mailto:[email protected]>> To: "'[email protected]<mailto:[email protected]>'" <[email protected]<mailto:[email protected]>> Subject: [Ntop] *flow sampling / scaling Message-ID: <12141_1308189505_4df96341_12141_8502_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com<mailto:12141_1308189505_4df96341_12141_8502_1_d9b37353831173459fdaa836d3b43499bf89c...@wadpmbxv0.waddell.com>> Content-Type: text/plain; charset="us-ascii" I just started messing with sflow and jflow (netflow?) and I have what seems to be a question back to 2005'ish. How to get ntop to .... multiply / scale the packet info received from a sampling device using sflow / jflow / whatever such that the displayed data reflects something as close to real world as possible. I don't want to get into a debate about if sampling is "accurate" and what not. What I do want to solve is: if ntop only sees 1 of n packets (or flow record has 1 of n packets), what does ntop do with it? Obviously if ntop doesn't account for the sampling somehow, ntop reports will be off my apx. R, where R is the sampling rate; such as 100, 1000, etc. This is not good. But, can ntop simply multiply some (all?) values in the *flows by R? Any thoughts on this would be great. I know a particular person with initials RJ that's been playing with sflow and rrd, perhaps he has some insight? G Here's my configuration (from an EX4200 running 10.4R3.4: if you are running an earlier version, the sample-rate was a single value that controlled both ingress and egress. It has been expanded to allow separate sampling rates. I haven't actually verified that the counts received by nTop exactly match those of the interfaces themselves, but I did compare the traffic reported by ge-0/0/0.0 with the ifstats on my openFiler SAN (some time ago,) and they looked accurate. I just assumed that nTop and JUNOS were functioning as designed... My nTop config for sflow follows my JUNOS protocol configuration. protocols { sflow { polling-interval 20; sample-rate { ingress 100; egress 100; } collector 192.168.x.y { #my nTop server ip udp-port 6343; } interfaces ge-0/0/0.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/1.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/2.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } interfaces ge-0/0/3.0 { polling-interval 20; sample-rate { ingress 100; egress 100; } } } } +++++++++++++++++++++++++++++++++++++++++++ sFlow device: sFlow-device.2 Flow Collector Local udp port: 6343 virtual sflow addr: 192.168.x.0/255.255.255.0 # x is the same as 'x' above in the collector ip definedin JUNOS Filtering (none) Debug: off <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
