Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow

Sat, 21 Nov 2015 06:42:06 -0800 

Hi Peter,

I suspect that problem appears when too many flows are reported. And the issue 
is rather outcom of hudge number of flows than high bandwith. DDoS attack is 
usually built of hudge number of very short flows (different source IPs and 
ports).
I'm trying to create some artificial traffic to simulate this situation.
May you can advise any simulation tool?


= = =
Thanks,
Evgeny


-------- Original message --------
From: Peter Haag <ph...@users.sourceforge.net>
Date: 21/11/2015 13:24 (GMT+02:00)
To: Evgeny Vainerman <evge...@securitydam.com>, 
nfdump-discuss@lists.sourceforge.net
Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow

Hi Evgeny,
Hmm .. difficult to tell. sfcpad simply reports, what it get's from the 
exporter.
The amount of data in bytes is extrapolated according to the sampling rate.
In the event of a DDoS attack, there are many potential bottlenecks. So it's
not easy to pinpoint the reason.

        - Peter


On 22.10.15 12:52, Evgeny Vainerman wrote:
> Hi All
>
> I'm using Cisco NX-OS(tm) n3000 Switch, Software (n3000-uk9), Version 
> 6.0(2)U2(3).
>
> My sflow setting is as following:
>
> sflow sampling-rate 5000
> sflow  max-datagram-size 2000
> sflow collector-ip X.X.X.X vrf management
> sflow collector-port NNNN
> sflow agent-ip Y.Y.Y.Y
>
> Recently I've got a DDoS attack.
> PRTG has shown incoming traffic of ~27 Gbit/sec during ~10 minutes.
>
> sFlow reported more than 10K flows in one minute, each one's duration is 0.0
> However, the total reported traffic is ~3.6 Gbit/sec:
>
> Summary: total flows: 11292, total bytes: 27533130000, total packets: 
> 56460000, avg bps: 3672369329, avg pps: 941329, avg bpp: 487
> Time window: 2015-10-21 11:25:00 - 2015-10-21 11:25:59
>
> What can be the reason of the such gap?
>
> -
> Thanks,
> Evgeny
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>

--
Be nice to your netflow data. Use NfSen and nfdump :)

------------------------------------------------------------------------------

_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to