Hi Jason,
Whether or sampling is recognised by nfcapd can be checked in the syslog log
daemon file.
You should see sampling record information, when they are decoded.
As you can have many exporters sending data, you may check for a given file if
sampling
records are found:
./nfdump -E tmp/nfcapd.201301041238
This prints all exporters in a collectors file with appropriate sampling
records. If they are
missing, then no sampling is found.
Exporters:
SysID: 1, IP: 192.168.92.190, version: 9, ID: 0, Sequence failures: 0,
packets: 26, flows: 55
Sampler for Exporter SysID: 1, Sampler: id: 1, mode: 2, interval: 5
In nfsen.conf, use the optarg tag in the sources array:
'optarg' => '-s 1000'
Regards
- Peter
On 3/1/13 2:24 AM, Jason Lixfeld wrote:
> So it seems that this was quite an easy issue to fix:
>
> !
> flow monitor-map fmm
> record ipv4
> exporter fem
> !
>
> That snippet will export srcas/dstas.
>
> Now then. I'm having an issue with sample rate.
>
> I have my sample-map set to 1 out of 1000:
>
> !
> sampler-map sm
> random 1 out-of 1000
> !
>
> However my flows seem to be coming in unsampled:
>
> [root@monitor01 etc]# /usr/local/bin/nfdump -R
> /opt/nfsen/profiles-data/live/bfr01-front/2013/01/02/nfcapd.201301022010 -c 1
> -o raw
>
> Flow Record:
> Flags = 0x06 Unsampled
> export sysid = 1
> size = 92
> first = 1357175370 [2013-01-02 20:09:30]
> last = 1357175389 [2013-01-02 20:09:49]
> msec_first = 558
> msec_last = 930
> src addr = 142.176.76.154
> dst addr = 209.222.50.106
> src port = 3860
> dst port = 49960
> fwd status = 64
> tcp flags = 0x00 ......
> proto = 17
> (src)tos = 0
> (in)packets = 6
> (in)bytes = 8592
> input = 17
> output = 15
> src as = 855
> dst as = 14387
> src mask = 23 142.176.76.0/23
> dst mask = 20 209.222.48.0/20
> dst tos = 0
> direction = 0
> bgp next hop = 72.15.50.104
> ip router = 10.219.49.2
> engine type = 0
> engine ID = 0
> received at = 1357175405769 [2013-01-02 20:10:05.769]
>
> Summary: total flows: 1, total bytes: 8592, total packets: 6, avg bps: 3548,
> avg pps: 0, avg bpp: 1432
> Time window: 2013-01-02 19:51:47 - 2013-01-02 20:14:40
> Total flows processed: 11396, Blocks skipped: 0, Bytes read: 1048556
> Sys: 0.004s flows/second: 2280112.0 Wall: 0.004s flows/second: 2405234.3
> [root@monitor01 etc]#
>
> I guess that means Cisco XR isn't exporting sample rate in one of the normal
> templates (from nfcapd(1): "tags #34, #35 or #48, #49, #50").
>
> Do I use -s 1000? nfcapd is being called from nfsen and I can't find an
> option in nfsen.conf to set -s. Is there a way or do I have to not call
> nfcapd from nfsen and rather run the commands nfsen would otherwise run,
> manually?
>
> On 2012-12-27, at 10:44 AM, Jason Lixfeld <jason-nfsen-disc...@lixfeld.ca>
> wrote:
>
>>
>> On 2012-12-27, at 10:32 AM, Jason Lixfeld <jason-nfsen-disc...@lixfeld.ca>
>> wrote:
>>
>>> I suppose for the latter I can custom compile per the man page, but I don't
>>> know what to do about the -s bits.
>>
>> I may have to eat crow - I think I can only custom compile entire format
>> lines, not format tags themselves. Back to square one, perhaps?
>>
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122712
>> _______________________________________________
>> Nfsen-discuss mailing list
>> Nfsen-discuss@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
