I've had that happen before. It turned out my router was dropping records in it's netflow reporting. I had to increase the memory allocation for netflow on the router (Enterasys Xpedition).
I also changed the reporting frequency to 60 minutes. Short duration flows are still reported as they expire but longer flows are not reported except on the hour. Zoltan On Thursday 09 September 2004 20:03, Michael Bellears wrote: > We have a DSL client who occasionally(2 Days a month) has 4G worth of > downloads. > > Looking at the traffic for the affected days, I am seeing the > following... > > Port is always random: > > ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet | > ./flow-stat -f6 -S2|more # --- ---- ---- Report Information --- --- --- > # > # Fields: Total > # Symbols: Disabled > # Sorting: Descending Field 2 > # Name: UDP/TCP source port > # > # Args: ./flow-stat -f6 -S2 > # > # > # port flows octets packets > # > 3233 2 4294967446 3 > > 80 180 784671 1364 > > Flows + Packets are always very minimal, but Octets large: > > # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| > ./flow-stat -f6 -S2|more # --- ---- ---- Report Information --- --- --- > # > # Fields: Total > # Symbols: Disabled > # Sorting: Descending Field 2 > # Name: UDP/TCP source port > # > # Args: ./flow-stat -f6 -S2 > # > # > # port flows octets packets > # > 3233 2 4294967446 3 > > 80 180 784671 1364 > > Always protocol 6: > > ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-filter -f netflow_acls/minter_palm_beach.acl -D subnet| > ./flow-stat -f12|more # --- ---- ---- Report Information --- --- --- # > # Fields: Total > # Symbols: Disabled > # Sorting: None > # Name: IP protocol > # > # Args: ./flow-stat -f12 > # > # > # protocol flows octets packets > # > 50 1 1152 8 > > 17 282 101586 325 > > 6 1746 4296584503 6246 > > 1 75 4514 83 > > Always from single IP: (This IP is different evertime): > > # ./flow-cat -a /netflow/oar/krc3.v5/2004/2004-08/2004-08-02/ | > ./flow-stat -f10 -S3 |grep 203.149.69.54|more > 66.183.10.168 203.149.69.54 2 4294967446 > 3 > > Anyone have any idea what could cause this type of traffic? > > Regards, > MB > > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
