Paolo Lucente
Mon, 22 Jun 2009 14:10:43 -0700
Hi Tony, On Sun, Jun 21, 2009 at 09:27:59PM -0700, Tony wrote:
> 1. How to cause nfacctd to reread it's config file without stopping & > restarting the process ? There is no way to work around that; all maps are reloadable at runtime by sending a SIGUSR2 signal. OTOH, SIGINT can be used to gracefully terminate the daemon (ie. flush cached data to the SQL database before exiting). > 2. Accuracy of stats ? There have been quite a few emails to the list on how > accurate netflow stats are and there have been instances where people have > been getting twice the numbers they should have and other where there was > huge spikes. In the testing I have done I am getting a discrepancy of 6-7% > of the bytes recorded. OK. Can you then scan those emails and come back with some more data about your case, ie. average imix and packets count other than bytes count? You might have read that one of the main causes for these descrepancies is accounting for L2 frames vs IP packets (which is what NetFlow does). This also means no non-IP packets (ie. ARPs or IS-IS chatting, if IS-IS is the routing protocol in use) and a good question mark on how, for example, fragmented traffic is handled by the NetFlow engine (discarded? Sent anyway with ports and IP protocol zeroed?). To conclude, for example: considering an imix of 500 bytes, Ethernet plus 802.1Q headers account for 18 bytes (or 3.5-4% of the accounted traffic); the toll becoming higher in case of more artistic encapsulations (ie. MPLS labels, PPPoX, GRE tunnelling just to cite a few). In general, you should not expect the statistics to be exactly the same. Let me know. Cheers, Paolo _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists