Maurizio Molina wrote: > Hi, > I'm noting a wierd result in NfSen if I make the following query: > -Select whatever 5 min. time interval > -Stat TopN > -Top: 500 > -Stat: FlowRecords > -order by: flows > -Aggregate: do not check any of the boxes (it means it will do the > default aggregation, which is the 5-tuple: ip src, ip dst, proto, src > port, dst port). > -Limit: don't set any limit > > In the list of the top 500 flows (that means: *sets* of flows with the > same 5-tuple) I see that the no. of flows in the first top flows is > always 10. Further down in the list I then see 9, 8, 7, etc... > This makes me suspect that NfSen limits the number of flows with thesame > 5-tuple it can aggregate to 10. > I haven't seen any duplicate in the list (i.e. flows with the same > 5-tuple that are repeated more than one). > > Can anybody check if they obtain the same behavior?
Hi Maurizio, I did the same exercise. But in my case I have different numbers like 35, 29, 28. etc. No such behaviour as you described. > If you do that, could you please state if you use sampled or unsampled sampled, 1/10000 > Netflow, with what sampling rate and (possibly) what is your inactive > timeout? I think these settings may play a role... What is "inactive timeout" and how to check it? Regards, -- Szymon Trocha Poznan Supercomputing & Ntw. Center ::: NETWORK OPERATION CENTER Tel. (+48 61) 8582022 http://noc.man.poznan.pl ::: http://noc.pionier.gov.pl ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
