On Wed, Oct 28, 2009 at 15:00, Paolo Lucente <pa...@pmacct.net> wrote: > Hi Nik, > > On Wed, Oct 28, 2009 at 12:47:49PM -0500, Nik Martin wrote: > >> If I loosen the aggregation filters up to just dst_host and src_host, >> i get only slightly more information over a 5 minute period, like >> this: > > Let's say you remove the filters at all, you see what you expect? If > you "loosen" the filter to only src_host/dst_host it will match only > non-VLAN tagged traffic to the specified src_host/dst_host (keep in > mind, it's all tcpdump-style filters). You expect traffic in VLAN 78 > but a 'vlan 78' filter doesn't match: i'm wondering if the switch is > encoding VLAN information in the sFlow datagram; having the traces > is it something you manage to double-check? Otherwise feel free to > send one of them over privately so that i can have a look for you. > > Cheers, > Paolo > I have the traces, If I can see them in some sort of tool like wireshark with an sflow plugin, otherwise, I'll shoot you a sample.
If I turn off all filters, I still only see a portion of what I capture in ngrep on the same machine, which leads me to believe I'm still missing data. Regards, Nik _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
