I plan on posting this to the juniper-nsp list as well, but I figured I start here first :)
I'm in the process of setting up an NFsen/NFdump box to analyze Netflow data from our border routers (both Juniper M120s running JUNOS 10.3R1.9), and the flow traffic rate that's being calculated by the analyzer does not match what I see on the upstream links. This is compared to the data that I see from SNMP via Cacti, and the relevant interface counters on the boxes themselves. Without doing an in-depth analysis of the numbers, I'd say that the data being reported through NFsen is about 4-5x higher than what I see from the interface counters. The packets per second counters seem to be skewed to roughly the same degree. For example, at the present time, NFsen is reporting that the aggregate traffic crossing my border interfaces is about 1.4 Gb/s, while the data I get from SNMP and the interface counters on the routers works out to about 380 Mb/s (~210 inbound, ~170 outbound). The sampling points on the border routers are at the end of ingress and egress filters that I have on my upstream interfaces, so I don't think it's a case of the numbers getting skewed by of flows getting duplicated, but I could be wrong. There is only one sample point at the end of each ACL, so packets that get dropped by earlier terms in each ACL should not be getting sampled. We are doing 1:100 sampling + the next 4 packets, and the data is piped through an Adaptive Services PIC in each box. Each box exports to a machine that replicates the flow data to multiple destinations, one of which is my NFsen/NFdump box. Right now I'm just looking at Netflow data from the border routers - nothing is being sent to the new box from other internal devices, to minimize the headaches related to de-duplicating flows. At this point I'm just trying to wrap my head around the whole design to see if the data that's coming out of the routers is inaccurate and I need to fix something on that end, or if NFsen/NFdump are arriving at an incorrect total on their own and I need to tweak something there. I've tried running the Netflow capture processes in NFdump with a sampling rate of 100 and also 20 to account for the 1:100 sampling + next 4 packets, but neither setting changed the data that shows up in the NFsen graphs. These are just the default graphs that a 'vanilla' NFsen/NFdump install generates, so there is no differentiation between inbound and outbound traffic at this point. Any insight anyone could offer would be greatly appreciated. jms ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Nfsen-discuss mailing list Nfsen-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
