Thanks for this info. When I switched to a static version of nprobe 4.1, the numbers looked much more 'on target'. So there is something going on with fprobe unfortunately.
At this point I'm going to compile nprobe 4.1 using the mmap patched libpcap I have on the box and see if it can keep up with the traffic better. Even though the static nprobe was reporting loss, the flows sent to nfdump/nfsen were much more accurate and lined up with the snmp stats of the interface. So far, response on the nfdump/nfsen install have been very favorable, thanks for a great piece of work!! -Robin -----Original Message----- From: Peter Haag [mailto:[EMAIL PROTECTED] Sent: Thursday, May 10, 2007 5:17 AM To: Brown, Robin; [email protected] Subject: Re: [Nfdump-discuss] Discrepency in BPS when using nfcapd vs flow-capture -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Robin, I can not really tell you what could be wrong. The number we see, seem pretty what we expect. Maybe a few remarks on how the numbers are generated. The statistics is created for every 5 min slot according the accumulated values from the flows, exported during that 5 min timeslot. The accumulated byte counter from all flows is divided by 300s to get the average bps for that time slot. This is also the value pumped into the RRD DB for creating the graphs. Scaling of RRD and the values in the stat table are 1K = 1000 as of snapshot 20070312. If your flows are sampled, then your values may be ways off, as sampling is not (yet) taken into account. The rough guess is a multiplication with the sampling rate. The error you see in your log file does not do any harm. It simply says, that there was 1 sequence error during the last 5 minutes when collecting the flow data. So 1 packet was missing in that flow sequence. If you take the Bytes count and divide it by 300, you get the average bps value. - Peter - --On May 9, 2007 11:44:16 -0400 "Brown, Robin" <[EMAIL PROTECTED]> wrote: | I was using flow-capture/flowscan, but it couldn't keep up. Flowscan | took longer than 5 minutes to process the flow file so by the end of the | day it got really far behind. But the data that was reported in bps was | very close to the interface stats pulled via snmp. | | I'm trying nfdump/nfsen and the numbers are way off. I am not exporting | flows from a router, I have fprobe running and converting span traffic | to flows and sending those to the server running nfdump/nfsen. This was | the same configuration when I was using the flow-tools suite, fprobe to | the server running flow-capture and flowscan. The bps shown in the | graphs generated by nfdump/nfsen are not even close to the interface | stats. | | I'm using nfdump-snapshot-20070312 and nfsen-snapshot-20070312. Am I | missing something? Do I need to tweak something? I like nfdump/nfsen | it is faster when searching thru flow data. I'm just not sure I'm | seeing accurate data right now. | | The only errors in the log are an occasional sequence error: | /usr/local/bin/nfcapd[12071]: Ident: 'ehprobe2' Flows: 3558830, Packets: | 28941156, Bytes: 6628366421, Sequence Errors: 1, Bad Packets: 0 | | Would that be enough to cause this issue? I'm probably also dropping | some flows but I was b4 with flow-tools and the numbers were not this | far off. | | Any assistance will be appreciated. | | Regards, | Robin | | | ------------------------------------------------------------------------ - | This SF.net email is sponsored by DB2 Express | Download DB2 Express C - the FREE version of DB2 express and take | control of your XML. No limits. Just data. Click to get it now. | http://sourceforge.net/powerbar/db2/ | _______________________________________________ | Nfdump-discuss mailing list | [email protected] | https://lists.sourceforge.net/lists/listinfo/nfdump-discuss - -- _______ SWITCH - The Swiss Education and Research Network ______ Peter Haag, Security Engineer, Member of SWITCH CERT PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7 SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iQCVAwUBRkLjGv5AbZRALNr/AQLbMAQAmYPUV9SxrwZN/bNdM6cZwAHzWeFh/5Xd OGkGMBa/BpAJhba1hkT5tPmBWx13PUun6ZORKzrkTgIqrd5ljRn8JNPXgPjlVG4O vENy2jIMAURTyXbxOF5jy9v0fNff/QHNpujADVut8Y2dhL5YzHD+zqYPgEgOMEdm aGxGF0P2g6c= =wZ7y -----END PGP SIGNATURE----- ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
