Don't turn on netflow? :-) Looks like a common problem - quoting from Cisco's documentation:
Cisco IOS Router-Based NetFlow Aggregation Customers can expect a large volume of export data from NetFlow when it is enabled on many interfaces on high-end routers that switch many flows per unit time (such as the Cisco 12000 and Cisco 7500 Series). Designed to significantly reduce NetFlow Export data volume and improve NetFlow scalability, router-based NetFlow aggregation is a Cisco IOSR software feature enhancement that enables limited router-based aggregation of NetFlow Export data. The five provided router-based NetFlow aggregation schemes enable the user to summarize NetFlow Export data on the router before the data is exported to a NetFlow data Collection device such as the Cisco NetFlow FlowCollector v2.0. With this feature enabled, aggregated NetFlow Export data is exported to a Collection device, resulting in lower bandwidth requirements for NetFlow Export data and reduced platform requirements for NetFlow data collection devices. In addition, this feature introduces NetFlow Export Version 8 (v8), a new Export datagram format designed to optimize NetFlow Export performance and bandwidth utilization. The Router-based NetFlow Aggregation feature enables on-board aggregation by maintaining one or more extra NetFlow caches with different combinations of fields that determine which traditional flows are grouped together. These extra caches are called aggregation caches. As flows expire from the main flow cache, they are added to each enabled aggregation cache. The normal flow ager process runs on each active aggregation cache the same way it runs on the main cache. On demand aging is also supported. Cisco IOS Router-Based Aggregation with NetFlow v8 is available on all Cisco router platforms that support NetFlow beginning in releases 12.0(3)T and 12.0(3)S. Five aggregation schemes will initially be supported (described later in this document). The default size for each secondary NetFlow aggregation cache (exported via with v8 NetFlow Export datagrams) is 4096 entries on all platforms that support Cisco IOS NetFlow. Use of Router-Based NetFlow Aggregation does not preclude the use of traditional NetFlow Services utilizing NetFlow Export v1/v5. Router-Based NetFlow Aggregation (utilizing v8 NetFlow Export datagrams) and traditional NetFlow Services (utilizing v1/v5 NetFlow Export datagrams) may be enabled simultaneously. Although these features can be used together, only the Router-based NetFlow Aggregation feature uses the v8 Export datagram format. ======================================================== ======================================================== The code (look in pbuf.c for sendXXXflow and netflow.c) sure looks like it is NOT doing any aggregation. So I think you get a UDP packet sent for EVERY single packet processed. How about using a filter to reduce what you're looking at? Otherwise, you will have to write a routine to make netflow.c smarter... Let's see, desiging on the fly for something I know nothing about (my speciality) (Modify netflow to allocate a big block of memory - enough to hold a lot of flows. Also create a sender thread, like the idle purges. Create a mutex to lock read/writes to this area. Each flow goes into entries in this table. If the table gets x% full, invoke the sender thread. Otherwise, the idle thread timer sends them after x seconds. Oh yeah, when you go to send the thread, lock the mutex, allocate a new block of memory, swap the pointers and release the mutex - so you're not blocking the packet process more than a few ms. Maybe allocate TWO blocks of memory and swap them instead of a malloc. Performance issue - locking the mutex everytime you update the flows in the table.) -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of shawn everett Sent: Thursday, January 10, 2002 4:08 PM To: [EMAIL PROTECTED] Subject: [Ntop] Problems using Netflow in Ntop 2.0 I installed ntop on a Linux router in order to monitor/bill bandwith on part of our network. What's happening is that ntop is generating a huge number of udp (netflow) packets and congesting our network to the point that it becomes unusable. Can anyone suggest a solution to this problem? Shawn _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop
