Burton Strauss
Tue, 12 Jul 2005 06:23:23 -0700
Most sampling - including the sFlow paper - assumes a normal distribution (ye olde bell curve). Thus you can establish confidence intervals for your sample as long as the sampling is truly random. Two flaws: (1) 1/n sampling is NOT random. (2) There are studies that show that internet traffic is in fact better described as fractal. At that point, whether sampling works is up for grabs. Still, a sampling based methodology will give you SOME indications about your data. What you make of it is up to you. Just as you can always push an analogy too far, you can push samples too far. -----Burton WRT (1), 1/n where n is even really bothers me, since lots of protocols are asymmetric, favoring one direction or the other. With these, perhaps after an initial request, the traffic becomes: (large packet of data) -> (small ack packet) <- Which means you see only one type in your 1/n sample. Is this a real problem? No clue - but keep an eye on sampled outputs and be willing to adjust if it seems counter to your real network experience. netFlow also offers some aggregation options (http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/12 0t/120t3/netflow.htm). You would have to add v8 to the plugin, but that doesn't look that hard (first glance) as the v8 packet is described as a subset of v5 which ntop does support. -----Original Message----- From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Chris Moore Sent: Tuesday, July 12, 2005 7:24 AM To: ntop@Unipi.IT Subject: RE: [Ntop] netflow sampling rate Why sampling is not fatally flawed: http://www.sflow.org/packetSamplingBasics/index.htm Of course this only works if you can except some degree of inaccuracy and if sufficient data is sent/received. With 1/64 sampling rate you can achieve very good accuracy. But if you're looking for a single packet or a couple packets an hour or something like that, you won't see it accurately. I was talking with Luca some time back about adding a multiplier function like Ryan describes, but I don't know if any progress has been made or even if this is still on his radar...... Chris -----Original Message----- From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Burton Strauss Sent: Monday, July 11, 2005 4:40 PM To: ntop@Unipi.IT Subject: RE: [Ntop] netflow sampling rate I don't think you can - sampling is usually a function of the COLLECTOR not the receiver (ntop). Scaling is very different than sampling, btw. And any assumption that 1/64th the traffic is a good metric for 1/1th the traffic is probably fatally flawed unless you really, really understand your traffic. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Brgomeistr Sent: Monday, July 11, 2005 3:50 PM To: [EMAIL PROTECTED] Subject: [Ntop] netflow sampling rate How do I set the sampling rate for a netflow interface? I have created a netflow interface (NetFlow-device.2) using the netflow device plugin, but am unable to find a way to set the sampling rate for this interface. I see that you can modify the sampling rate for local interface using "Configure > Startup Options". I am currently exporting netflow data (at a sampled rate of 1 out of every 64 packets) from a router to the ntop server. This data must be scaled (x64) to properly indicate the amount of traffic flowing through the router's interface. Is there a way to do this via the netflow collector included with ntop? Thanks, -ryan __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. ********************************************************************** _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop