How are you getting your data from flow files into RRDs? Have you looked at flowscan? (http://net.doit.wisc.edu/~plonka/FlowScan/)
Remember, you won't get the same absolute values out of RRDTool as you put in. When you enter an absolute value in bytes, RRDTool stores the bytes/sec over that time, not the actual byte count. Therefore, storing the bps figures in an RRD is pretty much useless. Looking at your packet count, however, reveals the following: >From your second sample.: > TAGSTRING,99402240,150869,313287.741105,22.944365,52452000.000000 In 5 minutes (300 secs), there were 150869 packets. 150869/300=502.9 >From your RRD: packets=5.0290042074e+02 ie 502.9 packets/sec. Looks like you might be on the right track, but you need to read up on how RRDTool works. ----- Original Message ----- From: "Shane Dawalt" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, September 20, 2005 6:27 AM Subject: [Flow-tools] rrd and netflow > > So I've been working towards a way to store flow-report data for > 5-minute flow files. RRD seemed the best way. However, after going > through the pain on my AMD64 box, I've arrived at a rather odd problem. > Shown below are the first two records for 5-minute flows. The first > group is from flow-report. The second group is from fetching data from > the rrd database. > > From flow-report: > # tag: TAGSTRING-TAGS > # first-flow 1127145749 Mon Sep 19 12:02:29 2005 > # last-flow 1127146045 Mon Sep 19 12:07:25 2005 > # recn: source-tag*,octets,packets,avg-bps,min-bps,max-bps > TAGSTRING,125699150,192982,354640.397566,22.630000,57176000.000000 > # first-flow 1127146044 Mon Sep 19 12:07:24 2005 > # last-flow 1127146344 Mon Sep 19 12:12:24 2005 > TAGSTRING,99402240,150869,313287.741105,22.944365,52452000.000000 > > From "rrdtool fetch <rrdfile> AVERAGE --start '12:00 09/19/05' --end > 'start +1 hour'": > > timestamp octets min-bps avg-bps > packets max-bps > > 1127145600: 3.2446881292e+05 6.6090286387e-02 9.7143092605e+02 > 5.9940418858e+02 1.0812780420e+05 > 1127145900: 2.2599923079e+05 6.5043735241e-02 9.6301899034e+02 > 5.0290042074e+02 7.1764395351e+04 > > The numbers from rrdtool aren't even close to those from flow-report. I > cannot believe they are correct ... but I've never played with rrdtool > before so I might be entering the fetch request wrong. (But if they are > correct then what are they telling me?) I suspect rrdtool may have a > problem running in 64-bit, but I don't have a 32-bit box to try it on. > Anyone care to comment? > > Shane > > _______________________________________________ > Flow-tools mailing list > [EMAIL PROTECTED] > http://mailman.splintered.net/mailman/listinfo/flow-tools > _______________________________________________ Flow-tools mailing list [EMAIL PROTECTED] http://mailman.splintered.net/mailman/listinfo/flow-tools
