Hello there, Apologies if this has already been discussed on this list, but I just have a quick question about nfcapd's -s option to set the default sampling rate.
I am sampling at 1:1000 (NetFlow v9) and nfcapd appears to be picking up the embedded sampling rate and using that, so it is trying to scale packets & octets, multiplying by 1000. Unfortunately, this is causing the octet counter to overflow with high-bandwidth flows. I was hoping that adding '-s 1' would make nfcapd ignore the embedded sampling rate, but this does not seem to work. Is there any way (besides hacking the code) to make nfcapd ignore the embedded sampling rate? (I do not want to change sampling rate or active flow timeout.) You can see the overflow in the output attached below. This shows the same flow captured by nfcapd and flow-capture. Notice that nfcapd scales the number of packets, 3791*1000 = 3791000. However, the octet counter overflows: nfcapd (version 9) Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-09-14 13:21:47.000 59.290 17 10.xxx.xxx.xxx:56258 -> 10.xx.xx.xx:5001 3791000 1497680704 1 flow-capture (version 5) Start End Sif SrcIPaddress SrcP DIf DstIPaddress DstP P Fl Pkts Octets 0914.13:21:47.000 0914.13:22:46.290 100 10.xxx.xxx.xxx 56258 101 10.xx.xx.xx 5001 17 0 3791 5792648 The 1497680704 octets reported by nfcapd is the result of overflowing the 32-bit counter once. Using the unscaled value from flow-tools and subtracting 2^32, you get the number reported by nfcapd: 5792648000 - 2^32 = 1497680704 Thanks! -Chris -- Chris Tracy <[email protected]> Energy Sciences Network (ESnet) Lawrence Berkeley National Laboratory ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Nfdump-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
