Thanks Peter, The nfdump syntax you suggested appears to show that no sampling is being recorded by the flows:
[root@monitor01 ario]# /usr/local/bin/nfdump -E /opt/nfsen/profiles-data/live/bfr01-front/2013/01/04/nfcapd.201301041040 Exporters: SysID: 1, IP: 10.219.49.2, version: 9, ID: 2081, Sequence failures: 0, packets: 982, flows: 21296 SysID: 2, IP: 10.219.49.2, version: 9, ID: 2065, Sequence failures: 0, packets: 517, flows: 10535 [root@monitor01 ario]# /usr/local/bin/nfdump -E /opt/nfsen/profiles-data/live/bfr01-mowat/2013/01/04/nfcapd.201301041040 Exporters: SysID: 1, IP: 10.219.49.1, version: 9, ID: 2081, Sequence failures: 0, packets: 1379, flows: 31405 [root@monitor01 ario]# /usr/local/bin/nfdump -E /opt/nfsen/profiles-data/live/bfr01-hudson/2013/01/04/nfcapd.201301041040 Exporters: SysID: 1, IP: 10.219.49.11, version: 9, ID: 2049, Sequence failures: 0, packets: 1253, flows: 28579 [root@monitor01 ario]# Anyone using IOS-XR and have sampling working or know why it might not work? On 2013-01-04, at 6:46 AM, Peter Haag <ph...@users.sourceforge.net> wrote: > Hi Jason, > Whether or sampling is recognised by nfcapd can be checked in the syslog log > daemon file. > You should see sampling record information, when they are decoded. > > As you can have many exporters sending data, you may check for a given file > if sampling > records are found: > > ./nfdump -E tmp/nfcapd.201301041238 > This prints all exporters in a collectors file with appropriate sampling > records. If they are > missing, then no sampling is found. > > Exporters: > > SysID: 1, IP: 192.168.92.190, version: 9, ID: 0, Sequence failures: 0, > packets: 26, flows: 55 > Sampler for Exporter SysID: 1, Sampler: id: 1, mode: 2, interval: 5 > > In nfsen.conf, use the optarg tag in the sources array: > > 'optarg' => '-s 1000' > > Regards > > - Peter > > On 3/1/13 2:24 AM, Jason Lixfeld wrote: >> So it seems that this was quite an easy issue to fix: >> >> ! >> flow monitor-map fmm >> record ipv4 >> exporter fem >> ! >> >> That snippet will export srcas/dstas. >> >> Now then. I'm having an issue with sample rate. >> >> I have my sample-map set to 1 out of 1000: >> >> ! >> sampler-map sm >> random 1 out-of 1000 >> ! >> >> However my flows seem to be coming in unsampled: >> >> [root@monitor01 etc]# /usr/local/bin/nfdump -R >> /opt/nfsen/profiles-data/live/bfr01-front/2013/01/02/nfcapd.201301022010 -c >> 1 -o raw >> >> Flow Record: >> Flags = 0x06 Unsampled >> export sysid = 1 >> size = 92 >> first = 1357175370 [2013-01-02 20:09:30] >> last = 1357175389 [2013-01-02 20:09:49] >> msec_first = 558 >> msec_last = 930 >> src addr = 142.176.76.154 >> dst addr = 209.222.50.106 >> src port = 3860 >> dst port = 49960 >> fwd status = 64 >> tcp flags = 0x00 ...... >> proto = 17 >> (src)tos = 0 >> (in)packets = 6 >> (in)bytes = 8592 >> input = 17 >> output = 15 >> src as = 855 >> dst as = 14387 >> src mask = 23 142.176.76.0/23 >> dst mask = 20 209.222.48.0/20 >> dst tos = 0 >> direction = 0 >> bgp next hop = 72.15.50.104 >> ip router = 10.219.49.2 >> engine type = 0 >> engine ID = 0 >> received at = 1357175405769 [2013-01-02 20:10:05.769] >> >> Summary: total flows: 1, total bytes: 8592, total packets: 6, avg bps: 3548, >> avg pps: 0, avg bpp: 1432 >> Time window: 2013-01-02 19:51:47 - 2013-01-02 20:14:40 >> Total flows processed: 11396, Blocks skipped: 0, Bytes read: 1048556 >> Sys: 0.004s flows/second: 2280112.0 Wall: 0.004s flows/second: 2405234.3 >> [root@monitor01 etc]# >> >> I guess that means Cisco XR isn't exporting sample rate in one of the normal >> templates (from nfcapd(1): "tags #34, #35 or #48, #49, #50"). >> >> Do I use -s 1000? nfcapd is being called from nfsen and I can't find an >> option in nfsen.conf to set -s. Is there a way or do I have to not call >> nfcapd from nfsen and rather run the commands nfsen would otherwise run, >> manually? >> >> On 2012-12-27, at 10:44 AM, Jason Lixfeld <jason-nfsen-disc...@lixfeld.ca> >> wrote: >> >>> >>> On 2012-12-27, at 10:32 AM, Jason Lixfeld <jason-nfsen-disc...@lixfeld.ca> >>> wrote: >>> >>>> I suppose for the latter I can custom compile per the man page, but I >>>> don't know what to do about the -s bits. >>> >>> I may have to eat crow - I think I can only custom compile entire format >>> lines, not format tags themselves. Back to square one, perhaps? >>> >>> >>> ------------------------------------------------------------------------------ >>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >>> MVPs and experts. ON SALE this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122712 >>> _______________________________________________ >>> Nfsen-discuss mailing list >>> Nfsen-discuss@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> > > -- > Be nice to your netflow data. Use NfSen and nfdump :) ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
