Hi Paolo,That makes +2 for Ostinato so far. I actually did play with that earlier today, but couldn't make to actually send traffic. Guess I should try again tomorrow. I did manage to get BRUTE [https://code.google.com/p/brute/] to generate between 100 and 200 Mbps semi-random UDP traffic, which is a start. Which brings me to another complication I ran into: After sending about 5 million packets (~170Kpps during 30 seconds), I receive only roughly 150 sFlow packets containing a couple hundred flow tops. Which is at least a factor 1000 less than I'd expect given the configured sample interval of 50. Just now I noticed something else as well: my last BRUTE run was hours ago, but still every file written by sfacctd's print plugin yields one record. Apparently the switch buffered the sFlow packets and is now emptying its buffer at a *very* low rate.
As for the ports, I meant to say interfaces ;-) So I did a snmpwalk against the switch and this told that those interface numbers 211 and 48 correspond to respectively trk2 (2nd configured trunk) and port 48. So far, so good. The number 1073741823 doesn't show up at all in the snmpwalk though, which is rather odd. Then again the number is 0x3FFFFFFF which is probably something "special".
Sometimes writing mails like these help you figure out things by yourself, or at least partially so:
# show sflow 1 sampling-polling
Port | Sampling Dropped | Polling
| Enabled Rate Header Samples | Enabled Interval
----- + ------- -------- ------ ---------- + ------- --------
Trk2 Yes(1) 50 128 896099398 Yes(1) 20
That's a ton of dropped samples. The whole goal of going with sFlow was
to be able to handle excessive spikes in traffic, while retaining plenty
of accuracy as well. Perhaps I'll just have to reach out to HP for more
info on this all. As their documentation is pretty darn scarce regarding
this subject.
Regards, Ruben On 2014-01-23 14:50, Paolo Lucente wrote:
Hi Ruben, Those are input and ouput interfaces of the switch, expressed as SNMP ifIndexes. If you see later in the CSV you have SRC_PORT and DST_PORT fields which are zero - making sense since the packets IP protocol is ICMP. In general, if you see anything strange with sFlow and want to debug or confirmation whether it's pmacct or the switch, you can resort to sflowtool. On your question about the free traffic generator: +1 for Ostinato. Cheers, Paolo On Thu, Jan 23, 2014 at 08:28:18AM +0100, Ruben Laban wrote:Hi, I'm currently in the process of migrating from a monitoring and accounting setup based on pmacctd/libpcap to sfacctd/sflow. However, while doing so I ran into a few things: * Can sfacctd somehow also "process" the polled (interface globals) data? * How can one "decipher" the IN_IFACE and OUT_IFACE fields? For example: TAG,TAG2,CLASS,SRC_MAC,DST_MAC,VLAN,COS,ETYPE,SRC_AS,DST_AS,BGP_COMMS,AS_PATH,PREF,MED,PEER_SRC_AS,PEER_DST_AS,PEER_SRC_IP,PEER_DST_IP,IN_IFACE,OUT_IFACE,MPLS_VPN_RD,SRC_IP,DST_IP,SRC_MASK,DST_MASK,SRC_PORT,DST_PORT,TCP_FLAGS,PROTOCOL,TOS,PACKETS,FLOWS,BYTES 0,0,unknown,00:00:00:00:00:00,00:00:00:00:00:00,0,0,0,0,0,0,,0,0,0,0,10.255.255.12,,211,48,0:0:0,10.255.255.2,10.255.255.1,0,0,0,0,0,icmp,0,2,0,204 0,0,unknown,00:00:00:00:00:00,00:00:00:00:00:00,0,0,0,0,0,0,,0,0,0,0,10.255.255.12,,1073741823,1073741823,0:0:0,10.255.255.1,10.255.255.2,0,0,0,0,0,icmp,0,1,0,102 I have a continuous ping running between 10.255.255.1 and 10.255.255.2 which passes ports that are sampled by sFlow. However, the ports 211, 48 and 1073741823 look rather bogus to me. So either my switches (HP 2920) send garbled data, or some more effort is needed to turn it into something useful. On a slightly related note, but probably rather off-topic: what are commonly used free methods of generating lots of network traffic. Ideally it would be something that could create several hundred Mbps of random traffic. Regards, Ruben _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
