[pmacct-discussion] sFlow from ZTE 5928 TX and counting accuracy

Fri, 20 Jul 2012 10:14:26 -0700 

Hi.
I collect sFlow from ZTE 5928 TX and see that the data that I get are
very different from those which really downloaded.

My configuration very simple:

interface: venet0
plugin_buffer_size: 2048
plugin_pipe_size: 2048000
sfprobe_agentip: 195.211.108.33

sfacctd_renormalize: true
networks_file: /etc/pmacct/networks.lst
ports_file: /etc/pmacct/ports.lst

plugins: memory[IP]
aggregate[IP]: src_host, dst_host, src_port, dst_port
imt_path[IP]: /tmp/IP.pipe

# cat ports.lst
80

#cat networks.lst
171.25.204.3/32


For ZTE sFlow configuration:

#show sflow
sflow enable
sflow agent ip-addr               agent udp port
195.211.108.33                    6343     
sflow collector ip-addr           collector udp port
171.25.204.64                     6343     
portname     ingress_sample_rate  egress_sample_rate
gei_1/4      256                  256                
gei_1/5      256                  256                
gei_1/6      256                  256                
gei_1/7      256                  256                
gei_1/8      256                  256                
gei_1/9      256                  256                
gei_1/11     256                  256                
gei_1/12     256                  256                
gei_1/13     256                  256                
gei_1/16     256                  256                
gei_1/17     256                  256                
gei_1/18     256                  256                
gei_1/19     256                  256                
gei_1/20     256                  256                
gei_1/22     256                  256                
gei_1/23     256                  256                
gei_1/24     256                  256                
xgei_2/1     256                  256                
xgei_3/1     256                  256                
xgei_4/1     256                  256                


My server with IP 171.25.204.3/32 on gei_1/6

For test I start
# sfacctd -f sfacctd.conf

and begin download  file from 171.25.204.3. Access open only for me. So
I expect see the same data.

$ LANG=C wget http://171.25.204.3/de1_15.01.2012/vzdump-5104.tgz
--2012-07-20 19:24:11--  http://171.25.204.3/de1_15.01.2012/vzdump-5104.tgz
Connecting to 171.25.204.3:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1231847830 (1.1G) [application/octet-stream]
Saving to: `vzdump-5104.tgz'

100%[========================================================================================================================================>]
1,231,847,830 9.48M/s   in 1m 57s

2012-07-20 19:26:08 (10.0 MB/s) - `vzdump-5104.tgz' saved
[1231847830/1231847830]

But I see very different data :
# pmacct -c src_host -M 171.25.204.3 -p /tmp/IP.pipe
SRC_IP                                        
DST_IP                                         SRC_PORT  DST_PORT 
PACKETS               BYTES
171.25.204.3                                  
0.0.0.0                                        80        0       
147349                221023500

                                                                               
PACKETS               BYTES
sampling 256 with sfacctd_renormalize: true          
147349                221023500
                                                                               
153760                230640000   (4.35%)
                                                                               
172244                258366000   (12.2%)


I tried to set sfacctd_renormalize and sampling_rate and sampling.map.
None of this helps, and the data did not match (Although up to 10% as
described in http://www.sflow.org/packetSamplingBasics/index.htm).

Question: What am I doing wrong and how to make the resulting data
correspond to reality?


-- 
WBR,
Viacheslav Dubrovskyi

Attachment: smime.p7s
Description: Криптографическая подпись S/MIME

_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists

Reply via email to