Hi Justin,
snip ..
> I'd say that the data being reported through NFsen is about 4-5x higher
> than what I see from the interface counters. The packets per second
> counters seem to be skewed to roughly the same degree.
>
snip ..
> We are doing 1:100 sampling + the next 4 packets, and the data is piped
> through an Adaptive Services PIC in each box. Each box exports to a
> machine that replicates the flow data to multiple destinations, one of
In case of sampling, only the sampling rate is actually announced from JunOS
to the collector. The fact of the additional 4 packets is dropped. This means
you get a rough and maybe too inaccurate estimated sampling rate of 250, which
explains, why you see a factor of about 4-5.
To my knowledge there is no why to let the collector automatically know
about the sampling 1:x + n next packets. Furthermore I haven't found any
documents, explaining how to estimate the correct values.
The closest you can come is to screw down the sampling rate for the collector
e.g. ( ./nfcapd -s -nnn ). Negative sampling rates tell the collector to
take this value for real and ignore the exporter announced sampling rates.
In your case -s -250.
If anyone knows a more accurate approach to estimate JunOS values, let me know.
Hope this helps
- Peter
> which is my NFsen/NFdump box. Right now I'm just looking at Netflow data
> from the border routers - nothing is being sent to the new box from other
> internal devices, to minimize the headaches related to de-duplicating
> flows.
>
> At this point I'm just trying to wrap my head around the whole design to
> see if the data that's coming out of the routers is inaccurate and I need
> to fix something on that end, or if NFsen/NFdump are arriving at an
> incorrect total on their own and I need to tweak something there.
>
> I've tried running the Netflow capture processes in NFdump with a
> sampling rate of 100 and also 20 to account for the 1:100 sampling + next
> 4 packets, but neither setting changed the data that shows up in the
> NFsen graphs. These are just the default graphs that a 'vanilla'
> NFsen/NFdump install generates, so there is no differentiation between
> inbound and outbound traffic at this point.
>
> Any insight anyone could offer would be greatly appreciated.
>
> jms
>
> ------------------------------------------------------------------------------
> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> to consolidate database storage, standardize their database environment, and,
> should the need arise, upgrade to a full multi-node Oracle RAC database
> without downtime or disruption
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Nfsen-discuss mailing list
> Nfsen-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and,
should the need arise, upgrade to a full multi-node Oracle RAC database
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
