Hi Steffen, You are right on the difference between sflow and netflow/ipfix. Only thing i can propose is to drop the timestamp_start primitive in favor of time binning (print_history config directive and a print_output_file with time reference as part of the filename). It will never be as fine grained as netflow/ipfix (i'm thinking to the case case of tcp ports reusal) but it is definitely something.
Cheers, Paolo On Mon, May 11, 2015 at 02:44:44PM +0000, Steffen Plotner wrote: > Hello, > > I have been able to collect netflow data from our palo alto device for > forensic analysis purposes and started to study sflow data from the juniper > switches. I understand that sflow is based on statistical sampling, which > clearly cannot catch every packet, but one can lower the 1:x ratio low enough > for that to work. Having done, that I had the following aggregate statement > (sfacctd): > > aggregate[track_raw]: label, src_host, dst_host, src_port, dst_port, proto, > tcpflags, in_iface, out_iface, cos, etype, src_mac, dst_mac, vlan, > timestamp_start > > which, because of the timestamp_start field, cannot aggregate data together > for packets that belong to the same session (flow). > > I was comparing an http download on the netflow side and saw that I had a > couple of entries with hundreds of packets and a packet size matching the > download. > > On the sflow collecting side, I had hundreds of individual entries each with > a packet count of 1 - now I am realizing that sfacct cannot aggregate > anything in terms of sflow data because of the timestamp_start. > > But I need the timestamp_start in the output (json file) - how can one go > about that? > > I feel that sflow is really nothing equivalent to netflow - basically netflow > has done a ton of work putting together netflow records of complete > transactions, while sflow just produces packet meta data that another > collector has to put together and make up the transactions - and if the > ending tcp flags are not there, then you are stuck. > > Thank you for your help. > > Steffen > > _______________________________________________________________________________________________ > Steffen Plotner Amherst College Tel > (413) 542-2348 > Systems/Network Administrator/Programmer PO BOX 5000 Fax > (413) 542-2626 > Systems & Networking Amherst, MA 01002-5000 > [email protected] > > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
