Hi y'all,
I'm hoping that someone has some experience that might help.
I'm using nfacctd to collect flows from a Cisco RSP720. After banging my
head against the keyboard for a few days, I realized I should have
configured pmacct with --enable-64bit. After re-building with that,
accuracy is dramatically improved, but I'm still finding bytes being
under-reported in numerous intervals.
I believe the problem I'm running into is that the RSP720 is collecting its
data in a 32-bit field and that field is wrapping -- or, the netflow v5
packet uses 32 bits for bytes, and it's wrapping on export. In any case, I
think the byte count is lost before it leaves the Cisco.
I'm using the "interface-destination" flow mask. I've tried using
"interface-destination-source" but that causes some CPU load on the Cisco
and flow creation failures.
To have the highest resolution and to minimize the risk of netflow creation
failures, all the timers are set to the lowest:
enable timeout packet threshold
------ ------- ----------------
normal aging true 32 N/A
fast aging true 32 7
long aging true 64 N/A
2**32 bytes in 64 seconds is only 537 Mbps. Doesn't work very well for
multi-gigabit traffic servers.
Does anyone have any ideas on how to reduce or eliminate counter wrap on
the Cisco side for the bytes counter?
Many thanks,
Ed
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
