Dear all,
I've been experimenting with cFlow from Juniper lately. We have cflowd set up
on Juniper with 1:1000 sampling. I can also see that the cFlow reports match
the SNMP measurements with that factor fairly well. Since I've set cFlow up to
report with Netflow v5 datagrams, I expected Nfacctd to automatically adjust
for the sampling rate. I did verify with Ethereal that it is "Version: 5", but
looking at the numbers logged from Juniper, they seem to be 1/1000 of what they
should be. To be sure I added "sampling_rate=1000" in the pretag.map file for
these tags, but it didn't have any effect (is it supposed to have an effect on
Netflow v5 at all?).
Then I looked at pkt_handler.c and compared it with the tcdump/Ethereal dumps
from Juniper:
In NF_counters_renormalize_handler(), starting line 1199 it says:
switch (hdr->version) {
case 5:
hdr5 = (struct struct_header_v5 *) pptrs->f_header;
is_sampled = ( ntohs(hdr5->sampling) & 0xC000 );
srate = ( ntohs(hdr5->sampling) & 0x3FFF );
if (is_sampled) {
pdata->pkt_len = pdata->pkt_len * srate;
pdata->pkt_num = pdata->pkt_num * srate;
}
break;
default:
break;
}
This looks neat as I interpret, but it does not match the v5 datagrams from
Juniper. Looking at that, it has in its Netflow v5 header (taken from
Etherreal):
00.. .... .... .... = SamplingMode: No sampling mode configured (0)
..00 0011 1110 1000 = SampleRate: 1000
which, if I understand nfacctd correctly (it is becoming increasingly complex
and I've skipped some minor versions) means that it will end up in default and
not scale up the data rate. The Juniper sampling is defined like:
sampling {
input {
family inet {
rate 1000;
run-length 0;
max-packets-per-second 1000;
}
}
output {
cflowd 10.10.10.203 {
port 2100;
version 5;
no-local-dump;
autonomous-system-type origin;
}
}
}
Questions:
1: Does Netflow v5 say that sampling mode must be set for sample rate to be
valid?
2: Has anybody else gotten this to work and if so, how?
3: Can I get Juniper/cFlow to report sampling mode?
best,
-- Inge
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
