Hi, Thank you for your feedback.
Steffen > -----Original Message----- > From: pmacct-discussion [mailto:[email protected]] On > Behalf Of Paolo Lucente > Sent: Wednesday, May 13, 2015 1:17 PM > To: [email protected] > Subject: Re: [pmacct-discussion] sflow aggregate timestamp_start > > Hi Steffen, > > You are right on the difference between sflow and netflow/ipfix. Only > thing i can propose is to drop the timestamp_start primitive in favor > of time binning (print_history config directive and a print_output_file > with time reference as part of the filename). It will never be as fine > grained as netflow/ipfix (i'm thinking to the case case of tcp ports > reusal) but it is definitely something. > > Cheers, > Paolo > > > On Mon, May 11, 2015 at 02:44:44PM +0000, Steffen Plotner wrote: > > Hello, > > > > I have been able to collect netflow data from our palo alto device for > forensic analysis purposes and started to study sflow data from the > juniper switches. I understand that sflow is based on statistical > sampling, which clearly cannot catch every packet, but one can lower the > 1:x ratio low enough for that to work. Having done, that I had the > following aggregate statement (sfacctd): > > > > aggregate[track_raw]: label, src_host, dst_host, src_port, dst_port, > proto, tcpflags, in_iface, out_iface, cos, etype, src_mac, dst_mac, > vlan, timestamp_start > > > > which, because of the timestamp_start field, cannot aggregate data > together for packets that belong to the same session (flow). > > > > I was comparing an http download on the netflow side and saw that I > had a couple of entries with hundreds of packets and a packet size > matching the download. > > > > On the sflow collecting side, I had hundreds of individual entries > each with a packet count of 1 - now I am realizing that sfacct cannot > aggregate anything in terms of sflow data because of the > timestamp_start. > > > > But I need the timestamp_start in the output (json file) - how can one > go about that? > > > > I feel that sflow is really nothing equivalent to netflow - basically > netflow has done a ton of work putting together netflow records of > complete transactions, while sflow just produces packet meta data that > another collector has to put together and make up the transactions - and > if the ending tcp flags are not there, then you are stuck. > > > > Thank you for your help. > > > > Steffen > > > > > ________________________________________________________________________ > _______________________ > > Steffen Plotner Amherst College > Tel (413) 542-2348 > > Systems/Network Administrator/Programmer PO BOX 5000 > Fax (413) 542-2626 > > Systems & Networking Amherst, MA 01002-5000 > [email protected] > > > > > > > > > _______________________________________________ > > pmacct-discussion mailing list > > http://www.pmacct.net/#mailinglists > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
