Hi, I'm noting a wierd result in NfSen if I make the following query: -Select whatever 5 min. time interval -Stat TopN -Top: 500 -Stat: FlowRecords -order by: flows -Aggregate: do not check any of the boxes (it means it will do the default aggregation, which is the 5-tuple: ip src, ip dst, proto, src port, dst port). -Limit: don't set any limit
In the list of the top 500 flows (that means: *sets* of flows with the same 5-tuple) I see that the no. of flows in the first top flows is always 10. Further down in the list I then see 9, 8, 7, etc... This makes me suspect that NfSen limits the number of flows with thesame 5-tuple it can aggregate to 10. I haven't seen any duplicate in the list (i.e. flows with the same 5-tuple that are repeated more than one). Can anybody check if they obtain the same behavior? If you do that, could you please state if you use sampled or unsampled Netflow, with what sampling rate and (possibly) what is your inactive timeout? I think these settings may play a role... Thanks, Maurizio ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
