ma hao writes: > I am running two flow-captures at two servers, one is sun v880, > which is directly connected with Cat6509, and another is dell 1850, > which is connecting the same Cat6509 through two switches, but > through flow-header I found the similar flow drops, below are the > drop messages from these two collectors.
I assume you are using hardware Netflow (NDE) on a Supervisor II or Supervisor 720. Is that correct? > Cat6509 provides two access links for our campus, this traffic of > two links is 350/416 Mbps(in/out average) and 283/462 Mbps(in/out > average), which is a huge traffic per day, Yes, that's a lot of traffic - although we have similar rates here and don't experience any flow loss (we're not using flow-tools though). What's more important is the number of flows that your router exports. > the storage volume is about 6G(compressed). and Cat 6509 exports the > two links' netflow to the two above flow-collectors. So you are using the multiple Netflow export destinations feature. Personally I never dared to turn that on, because I am worried about the router CPU load that this would cause. Does "show mls nde" show positive numbers for any of the various types of export failure? What I do is that I export to one host only, and on that host I run a UDP packet-copier that sends one copy of each Netflow datagram to a local consumer (such as flow-tools), and another copy to the next machine. The other thing is that NDE, at least on the Sup2 and Sup720, exports flows in bursts, rather than regularily. So every eight (I think) seconds the router will send a large number of Netflow export packets back-to-back. So if you export through a path with other traffic, or with lower-speed links, then you will need lots of buffering in the network. In any case, you will need large buffers in the receiving system, which means large UDP receive buffers. The flow-capture man page includes some hints on how to check for this. Flow-capture seems to set the UDP receive buffer to 4 MB by default. If you see that UDP buffer overflows are a problem for you, you could try recompiling flow-tools with FT_SO_RCV_BUFSIZE redefined to a larger value. > From the drop messages, it seems it has some relationship with > realtime traffic throughput, 4am-8am is low throughput, and other > time is high throughput, especially about 10pm. > Well, my question is that this drop data is caused by flow-capture > or by server's tcp/ip stack or by udp's unreliable mechanism or by > cisco netflow's export mechanism? and are there any advice for > resolving or relieving the drop question? Hopefully one of the hints above helps. -- Simon. _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
