-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Tony,
Tony Gray wrote:
> Hi,
> Below are 2 graphs of the same traffic. The blue line is the outbound
> traffic, which is the same as the dark green NFSEN graph.
>
> Notice the short drops in traffic in the NFSEN graph. Initially i was
> looking at the spikes and trying to track down if there was something
> wrong with SNMP or Netflow, but today i saw the drops, which seem very
> unlikely considering the amount of sustained traffic.
>
> I am looking for pointers on how to track down this issue, to eliminate
> NFSEN and validate the data in our flows.
>
> Or has anyone else come across a similar issue?
There is an important difference between flow data and SNMP:
With SNMP you get the current value from the router at the time of the query.
These interface counters are updated with every packet so you get smooth graphs.
NfSen graphs the data found in the exported flows. But flows are exported
event based: Either the connections terminates ( FIN/FIN ACK ) or by any defined
timeout. You have active an inactive timeouts on the router - so check the
router
documentation for that. I guess in your case, you may have long lasting flows
( more than 300s ) so the entire traffic is counted for the time slot, when the
flow is exported. This results in spikes or losses in the graph. To prevent this
set the active timeout to 300s ( or 60s, 100s on busy routers ), so the
accumulated
traffic in a timeslot is counted in the correct slots in NfSen. Other timeouts
should also be set "NfSen fiendly" in 300s intervals.
Hope, this helps
- Peter
>
> We are running 64bit arch with the following:
> nfdump 1.5.8
> nfsen 1.3.1
>
> Any tips/thoughts greatly appreciated.
> Thanks,
> Tony
>
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Nfsen-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
E-mail: [email protected] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBSmhGdf5AbZRALNr/AQLL6wP7Bvzm48eQUIf5kBGgO35OkK20A5FxI3xY
kMBJ6An3ZNchOumiF5mQnVWeY/9SNHkzodn4MtJYoH57z0NW1CvMjGPb3PQDDylM
v5Eux6XXqmH7iA+n4z2+Mr+XPIK9knO7hwedBnp2lnATWoWm8PhOv85qlSDmkHC2
vDciRaL7tUM=
=zYcu
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
