[Ntop] inaccurate stats; 4.0.3; jflow from srx-240

[Gary Gatten]

Good morning,

I've recently enabled jflow on my SRX-240.  I have (2) in an active/passive 
cluster; and I'm "sampling" on the reth interface that's our private LAN - so I 
can see all traffic.  My sampling rate is set to "1" , so it "should" be 
counting every packet.  See my Juniper config below.

My Cisco switch port and the SRX show roughly equal throughput of about 40Mb/s 
- so at this point I believe this to be accurate.  Here's where ntop is 
throwing me off:

 - Plugins > Netflow Statistics show roughly half the actual throughput - such 
as 20Mb/s
 - Summary > Network Load shows FAR less; as in 2Mb/s  - or 1/20th actual 
throughput.

Of note: Plugins >  Netflow Stats show a LOT of lost flows:  Flows = 5.1M; Lost 
Flows = 3.9M.  Weird, and not good if it's accurate.  Our network is reliable, 
no way that many packets are getting lost along the way.  CPU on the ntop host 
is fine.  UDP RX queue for the netflow socket is usually zero, although one 
check showed it at 39K for an instant.  So, I'm not sure if there are really 
this many lost flows (doubt it) or if Juniper isn't properly sequencing the udp 
packets?

Generally I've found ntop netflow stats to be "accurate" - certainly not off by 
a factor of 20 - or even 2.

Any thoughts or next steps on this would be most appreciated.  I have a JTAC 
case open so will also post there.

TIA!

Gary

Jflow confs on SRX:

reth0 {
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 0 {
            family inet {
                sampling {
                    input;
                    output;
                }
                address 1.1.1.1/16;
            }
        }
    }

forwarding-options {
    sampling {
        input {
            rate 1;
            run-length 0;
            max-packets-per-second 10000;
        }
        family inet {
            output {
                flow-inactive-timeout 15;
                flow-active-timeout 60;
                flow-server 1.1.1.100 {
                    port 2111;
                    source-address 1.1.1.1;
                    version 5;





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>


_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop