As no documentation has shown that a sampling_mode value != 0 is needed to adjust for sampling, it is unlikely that Juniper will make any changes to cflow sampled reporting. Maybe this should be reflected in pmacct as well and the temporary patch made permanent?
all the best, -- Inge > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Paolo Lucente > Sent: 17. mars 2007 13:58 > To: [email protected] > Subject: Re: [pmacct-discussion] Juniper cFlow, sampling and > nfacctd handling > > Hi Inge, > > On Fri, Mar 16, 2007 at 05:09:30PM +0100, Inge Bj?rnvall > Arnesen wrote: > > > Then I looked at pkt_handler.c and compared it with the > tcdump/Ethereal dumps from Juniper: > > > > In NF_counters_renormalize_handler(), starting line 1199 it says: > > > > switch (hdr->version) { > > case 5: > > hdr5 = (struct struct_header_v5 *) pptrs->f_header; > > is_sampled = ( ntohs(hdr5->sampling) & 0xC000 ); > > srate = ( ntohs(hdr5->sampling) & 0x3FFF ); > > if (is_sampled) { > > pdata->pkt_len = pdata->pkt_len * srate; > > pdata->pkt_num = pdata->pkt_num * srate; > > } > > break; > > default: > > break; > > } > > > > This looks neat as I interpret, but it does not match the > v5 datagrams from Juniper. Looking at that, it has in its > Netflow v5 header (taken from Etherreal): > > > > 00.. .... .... .... = SamplingMode: No sampling mode configured (0) > > ..00 0011 1110 1000 = SampleRate: 1000 > > > > [ ... ] > > > > Questions: > > > > 1: Does Netflow v5 say that sampling mode must be set for > sample rate to be valid? > > 2: Has anybody else gotten this to work and if so, how? > > 3: Can I get Juniper/cFlow to report sampling mode? > > 1. Yes, it has. The meaning of the first two bits are: "00" > no sampling, > 01 sampling is enabled, so read the remaining 14 bits to get > the sampling rate. Of course the quick and dirty solution to > make it working with your Juniper is to replace the check on > the first two bits with a check on the remaining 14 bits: > > + if (srate) { > - if (is_sampled) { > > A more polite solution would be to add a configuration option > to do this. > > 2. I've got this working reading NetFlow v5 datagrams coming > from a few Cisco gears. Can't remember right now of any other > vendors. Also note that this feature is not enabled for > NetFlow v9 yet. Only all sFlow versions and NetFlow v5. IHMO, > the NetFlow v9 way of hande sampling is certainly greatly > flexible but smells a lot of over-engineering. > > 3. Yes. You can either report the issue to Juniper or apply > the patch of 1). It should work straight away. Or a mix of > the two solutions, one for the short term, the other for the > longer term. > > Hope this helps. > > Cheers, > Paolo > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists > _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
