Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow

Mon, 23 Nov 2015 01:36:08 -0800 

Hi Evgeny,
The duration of sampled sflow packets is by definition always 0. The reason for 
this is,
that each sampled packet, which is sent in sflow format to the collector has no 
duration,
however it is converted into a flow on the collector side, simply for 
compatibility
reason with netflow. You get a duration, if when you aggregate them: ./nfdump 
-a ....

As for the missing samples: Have you checked the daemon syslog file? sfcpad 
reports
any issues. If possible, can you tcpdump the sflow traffic to the collector, of 
such an
iperf burst? If so, please send me the file off list.

Thanks

        - Peter


On 22/11/15 17:42, Evgeny Vainerman wrote:
> Hi Peter,
> 
>  
> 
> My suspect that issue is related to number of flows is wrong.
> 
> I generate udp traffic of ~2.7 Gbit/sec with iperf - same source, same 
> destination:
> 
>  
> 
> iperf -c B.B.B.B -i 1 -b 4000M -t 400 -l 40000
> 
>  
> 
> The sfcapd collect the data. All recorded flows looks similar (5000 packets / 
> 7.6M bytes each, Duration is 0.0):
> 
>  
> 
> Date first seen          Duration Proto    Src IP Addr:Port  Dst IP Addr:Port 
>  Packets  Bytes Flows
> 
> 2015-11-22 14:22:01.336     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> 2015-11-22 14:22:01.493     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> 2015-11-22 14:22:01.641     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> 2015-11-22 14:22:01.704     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> 2015-11-22 14:22:02.659     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> 2015-11-22 14:22:03.065     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> …
> 
> …
> 
> …
> 
> 2015-11-22 14:22:58.705     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
> 2015-11-22 14:22:59.557     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001    
>   5000    7.6 M     1
> 
>  
> 
>  
> 
> However, very low traffic is reported:
> 
>  
> 
> Summary: total flows: 115, total bytes: 872850000, total packets: 575000, avg 
> bps: 119936105, avg pps: 9876, avg bpp: 1518
> 
> Time window: 2015-11-22 14:22:01 - 2015-11-22 14:22:59
> 
> Total flows processed: 115, Blocks skipped: 0, Bytes read: 7020
> 
> Sys: 0.004s flows/second: 23138.8    Wall: 0.003s flows/second: 33833.5   
> 
>  
> 
> For testing purposes, I directed sFlow reports from the switch to PRTG and to 
> sFlowTrend – both showing the correct bandwidth with same reporter.
> 
> Looks like sfcapd or nfdump lose the data. Is it possible it ignores “too 
> short” flows, even if reported?
> 
>  
> 
>  
> 
>  
> 
> -
> 
> Thanks,
> 
> Evgeny
> 
>  
> 
> -----Original Message-----
> 
> From: Peter Haag [mailto:ph...@users.sourceforge.net]
> 
> Sent: Sunday, November 22, 2015 1:30 PM
> 
> To: Evgeny Vainerman <evge...@securitydam.com>; 
> nfdump-discuss@lists.sourceforge.net
> 
> Cc: Meir Katz <me...@securitydam.com>
> 
> Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow
> 
>  
> 
> On 21.11.15 15:40, Evgeny Vainerman wrote:
> 
>> Hi Peter,
> 
>>
> 
>> I suspect that problem appears when too many flows are reported. And the 
>> issue is rather outcom of hudge number of flows than high bandwith. DDoS 
>> attack is usually built of hudge number of very short flows (different 
>> source IPs and ports).
> 
>> I'm trying to create some artificial traffic to simulate this situation.
> 
>> May you can advise any simulation tool?
> 
>  
> 
> Hmm .. not, that I am aware of. There are some studies regarding the accuracy 
> of a total estimation from sampled flow data. Small flows are indeed a bigger 
> problem and lead to bigger deviations of numbers.
> 
>  
> 
>  
> 
> Cheers
> 
>  
> 
> - Peter
> 
>>
> 
>>
> 
>> = = =
> 
>> Thanks,
> 
>> Evgeny
> 
>>
> 
>>
> 
>> -------- Original message --------
> 
>> From: Peter Haag <ph...@users.sourceforge.net>
> 
>> Date: 21/11/2015 13:24 (GMT+02:00)
> 
>> To: Evgeny Vainerman <evge...@securitydam.com>,
> 
>> nfdump-discuss@lists.sourceforge.net
> 
>> Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than
> 
>> sFlow
> 
>>
> 
>> Hi Evgeny,
> 
>> Hmm .. difficult to tell. sfcpad simply reports, what it get's from the 
>> exporter.
> 
>> The amount of data in bytes is extrapolated according to the sampling rate.
> 
>> In the event of a DDoS attack, there are many potential bottlenecks.
> 
>> So it's not easy to pinpoint the reason.
> 
>>
> 
>>         - Peter
> 
>>
> 
>>
> 
>> On 22.10.15 12:52, Evgeny Vainerman wrote:
> 
>>> Hi All
> 
>>> 
> 
>>> I'm using Cisco NX-OS(tm) n3000 Switch, Software (n3000-uk9), Version 
>>> 6.0(2)U2(3).
> 
>>> 
> 
>>> My sflow setting is as following:
> 
>>> 
> 
>>> sflow sampling-rate 5000
> 
>>> sflow  max-datagram-size 2000
> 
>>> sflow collector-ip X.X.X.X vrf management sflow collector-port NNNN
> 
>>> sflow agent-ip Y.Y.Y.Y
> 
>>> 
> 
>>> Recently I've got a DDoS attack.
> 
>>> PRTG has shown incoming traffic of ~27 Gbit/sec during ~10 minutes.
> 
>>> 
> 
>>> sFlow reported more than 10K flows in one minute, each one's duration
> 
>>> is 0.0 However, the total reported traffic is ~3.6 Gbit/sec:
> 
>>> 
> 
>>> Summary: total flows: 11292, total bytes: 27533130000, total packets:
> 
>>> 56460000, avg bps: 3672369329, avg pps: 941329, avg bpp: 487 Time
> 
>>> window: 2015-10-21 11:25:00 - 2015-10-21 11:25:59
> 
>>> 
> 
>>> What can be the reason of the such gap?
> 
>>> 
> 
>>> -
> 
>>> Thanks,
> 
>>> Evgeny
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> ---------------------------------------------------------------------
> 
>>> ---------
> 
>>> 
> 
>>> 
> 
>>> 
> 
>>> _______________________________________________
> 
>>> Nfdump-discuss mailing list
> 
>>> Nfdump-discuss@lists.sourceforge.net
> 
>>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 
>>> 
> 
>>
> 
>> --
> 
>> Be nice to your netflow data. Use NfSen and nfdump :)
> 
>>
> 
>>
> 
>>
> 
>> ----------------------------------------------------------------------
> 
>> --------
> 
>>
> 
>>
> 
>>
> 
>> _______________________________________________
> 
>> Nfdump-discuss mailing list
> 
>> Nfdump-discuss@lists.sourceforge.net
> 
>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
> 
>>
> 
>  
> 
> --
> 
> Be nice to your netflow data. Use NfSen and nfdump :)
> 

------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741551&iu=/4140
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to