-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Maurizio,
- --On January 10, 2007 16:38:10 +0000 Maurizio Molina <[EMAIL PROTECTED]>
wrote:
| Hi Peter, can you recall me what nfdump does when it receives a flow
| whose duration is not completely contained in a 5 minutes bin?
| Does it spred the number of packets and bytes evenly over all the bins
| it spans?
| If yes, how are the .gif files updated accordingly?
It depends most on the flow exporter: A flow gets exported, when the session is
closed, when it is
inactive for a certain time, when it is forced to export or when the flow table
is full. Each of
those flows, if spread over multiple exports, contain the number of accumulated
packets and bytes,
since the flow exist in the router flow cache. When a flow is exported is is
also gets
automatically deleted from the flow cache in the router. The next packet of an
ongoing flow will
then recreate a flow entry in the cache table. This means it can vary a lot,
depending on the
traffic pattern you have. The collector itself can not determine, if a flow has
terminated or not,
as the reason for exporting is unknown.
Therefore the collector simply collects, what it gets from the router and
stores the flows in the
files. When processing the flows with nfdump later on those flows can be
aggregated ( -a ) to form
up a single flow in the output. Creating any stats with nfdump automatically
aggregate flow pieces
by nature.
As for the RRD graphs, these are updated in each 5min interval regardless of of
flows are ongoing
or not. Whatever sums up in a 5min interval is stored in the RRD DBs. To make
the graphs looking
smooth, one should make sure to force a flow to get exported after at max. 300s
lifetime in the
router cache. This prevents the sometimes spiky (looking like a comb) graphs.
To make the long story short: Long flows are splitted up in pieces, where each
piece contains the
number of bytes and packets since the last export, therefore all are average
numbers over that time
period.
Hope this helps
- Peter
| Thanks,
| Maurizio
|
|
| -------------------------------------------------------------------------
| Take Surveys. Earn Cash. Influence the Future of IT
| Join SourceForge.net's Techsay panel and you'll get the chance to share your
| opinions on IT & business topics through brief surveys - and earn cash
| http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRaZFLf5AbZRALNr/AQLQxQP/d76lX1but0jtg7KqShgLRR26pi6vcl70
1Po/l3fbcCPoYgDFyIG7xZQh7VoglPnx5pBMWUsM1CF4hsBZkQyZL1qEGGL4pnsl
7rcTroL0bRtYndFKzfzKrBPAmAdbBxLQW7ehDyoP6YP5qtIs622IdeXQO8uUqOFv
IB3Vh99I+sU=
=+MFM
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
