Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
On Thu, 30 Jul 2020 at 19:12, wrote: Hey, > If I'm not mistaken, sflow/netflow does not pick up null0 routed > flows. Plz correct me if I am wrong. I don't think there is a single answer to this question. It depends on a platform, where netflow/sflow is done and in what order are functions executed. There will be a lot of complex corner cases particularly with QoS, PBR and so forth. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
If I'm not mistaken, sflow/netflow does not pick up null0 routed flows. Plz correct me if I am wrong. Thanks, Hank Caveat: The views expressed above are solely my own and do not express the views or opinions of my employer ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
Hi, On Thu, Jul 30, 2020 at 12:37:52PM +, Drew Weaver wrote: > So if a flow is less than the sampling rate it does not export anything, > I believe is what you are saying. No. If you happen to just not see a packet of that flow, it will not export anything. You can have a flow of 100.000 packets that all just happen to always be "one of the 499 out of 500 packets" that are not being looked at. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
On Thu, 30 Jul 2020 at 15:37, Drew Weaver wrote: > So if a flow is less than the sampling rate it does not export anything, I > believe is what you are saying. If none of the 500th packets belong to flow of your interest, you won't see anything of the flow. -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
I see that helps, thanks. -Original Message- From: Gert Doering Sent: Thursday, July 30, 2020 8:38 AM To: Drew Weaver Cc: 'Dobbins, Roland' ; 'cisco-nsp@puck.nether.net' Subject: Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic? Hi, On Thu, Jul 30, 2020 at 12:23:28PM +, Drew Weaver wrote: > So just for a refresher if you are sampling lets say at 1:500 and lets say 1 > byte goes through an interface that is not intended to produce an export? It's statistics: 1:500 says "only look at one packet in 500" - so it will just not *see* this "1 byte" (with a very high propability). > The exporting only happens if the amount of data is over a certain threshold? > Does that threshold vary? Not "data over threshold" but "did you see the packet or not" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
Hi, On Thu, Jul 30, 2020 at 12:23:28PM +, Drew Weaver wrote: > So just for a refresher if you are sampling lets say at 1:500 and lets say 1 > byte goes through an interface that is not intended to produce an export? It's statistics: 1:500 says "only look at one packet in 500" - so it will just not *see* this "1 byte" (with a very high propability). > The exporting only happens if the amount of data is over a certain threshold? > Does that threshold vary? Not "data over threshold" but "did you see the packet or not" gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
So if a flow is less than the sampling rate it does not export anything, I believe is what you are saying. Thanks, -Drew -Original Message- From: Saku Ytti Sent: Thursday, July 30, 2020 8:36 AM To: Drew Weaver Cc: Dobbins, Roland ; cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic? On Thu, 30 Jul 2020 at 15:26, Drew Weaver wrote: > So just for a refresher if you are sampling lets say at 1:500 and lets say 1 > byte goes through an interface that is not intended to produce an export? > The exporting only happens if the amount of data is over a certain threshold? > Does that threshold vary? You'd pick up every nTh packet for sampling. sample(packet) if packet_count % 500 == 0 -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
On Thu, 30 Jul 2020 at 15:26, Drew Weaver wrote: > So just for a refresher if you are sampling lets say at 1:500 and lets say 1 > byte goes through an interface that is not intended to produce an export? > The exporting only happens if the amount of data is over a certain threshold? > Does that threshold vary? You'd pick up every nTh packet for sampling. sample(packet) if packet_count % 500 == 0 -- ++ytti ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
So just for a refresher if you are sampling lets say at 1:500 and lets say 1 byte goes through an interface that is not intended to produce an export? The exporting only happens if the amount of data is over a certain threshold? Does that threshold vary? -Original Message- From: cisco-nsp On Behalf Of Dobbins, Roland Sent: Thursday, July 30, 2020 8:18 AM To: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic? > On 30 Jul 2020, at 18:48, Drew Weaver wrote: > > I'm just curious mostly but has anyone found a platform that has high enough > sflow/netflow "resolution" that it picks up things like single pings, or > broadcast traffic, or other very low volume traffic? I think what you’re looking for is gear which supports 1:1 flow telemetry at the interface speeds/densities you require. Roland Dobbins ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?
> On 30 Jul 2020, at 18:48, Drew Weaver wrote: > > I'm just curious mostly but has anyone found a platform that has high enough > sflow/netflow "resolution" that it picks up things like single pings, or > broadcast traffic, or other very low volume traffic? I think what you’re looking for is gear which supports 1:1 flow telemetry at the interface speeds/densities you require. Roland Dobbins ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Netflow/Sflow for "irrelevant" traffic?
Hello! I'm just curious mostly but has anyone found a platform that has high enough sflow/netflow "resolution" that it picks up things like single pings, or broadcast traffic, or other very low volume traffic? I've noticed that on the switches we're using at the moment it doesn't seem to export anything for what I suppose someone decided is irrelevant traffic. Thanks, -Drew ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
