Re: [c-nsp] nfSen / nfDump

2017-08-30 Thread Nick Hilliard 
Nick Cutting wrote:
> The main SFlow collection point(s) are 36 port 100g nexus 9236c, so I
> think it is based on different chipsets – ASE2

Right, I missed it was a different asic.  You should reach out to your
SE and ask her/him if there is any way of poking this in hardware, in
the same way that you can do it on broadcom chipsets.  It would be
extraordinary if the hardware didn't support this.

Nick


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-29 Thread Nick Cutting 
Thank you for your help.

The main SFlow collection point(s) are 36 port 100g nexus 9236c, so I think it 
is based on different chipsets – ASE2

I can see the sampling rate with the show run all command, I was using the 
default of 4096.
I tried various values – but the traffic is always almost exactly double what I 
get when using snmp statistics.

So unless we have a way to disable sFlow in both directions – I will need to 
divide by 2 for non-netflow sources.
Now I just need a big linux fella to rebuild the kernel and stick the /2 into 
the sfcapd daemon

From: Nick Hilliard [mailto:n...@foobar.org]
Sent: Monday, August 28, 2017 5:26 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

This message originated from outside your organization

Nick Cutting wrote:
> I didn’t seem to be able to use that command on a Nexus 9200 - the
> guide for the shell seems for the 9500 and the 3k?

N9K access instructions here:

> https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_0101.html#concept_F5C3B0413B80410FBBDCC79F81BF086F<https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_0101.html#concept_F5C3B0413B80410FBBDCC79F81BF086F>

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Nick Hilliard 
Nick Cutting wrote:
> I didn’t seem to be able to use that command on a Nexus 9200 - the
> guide for the shell seems for the 9500 and the 3k?

N9K access instructions here:

> https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/6-x/programmability/guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide/b_Cisco_Nexus_9000_Series_NX-OS_Programmability_Guide_chapter_0101.html#concept_F5C3B0413B80410FBBDCC79F81BF086F

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Nick Cutting 
Thank you for your reply.

Yes, I have a very similar config to yours below.

Looks like I'll need to tell the noc to halve their findings.
I didn’t seem to be able to use that command on a Nexus 9200 - the guide for 
the shell seems for the 9500 and the 3k?

Thank you

-Original Message-
From: Nick Hilliard [mailto:n...@foobar.org] 
Sent: Monday, August 28, 2017 5:13 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

This message originated from outside your organization

Nick Cutting wrote:
> Doesn't look like sflow daemon supports the -s sampling tag.
> 
> %sources = (
> 'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 
> 'netflow', 'optarg' => ' -s -1000 '}, );

yes, that's correct.  The sflow sampling rate is specified in each sflow 
packet, so there is no need to specify it on the collector - it's automatically 
detected on a per-packet basis.

This is a working config on a small site (albeit a different sflow agent 
platform, but that won't make any difference):

> %sources = (
> 'rtr01' => { 'port' => '2055', 'col' => '#ff', 'type' => 'sflow' 
> },
> 'rtr02' => { 'port' => '2056', 'col' => '#00ff00', 'type' => 
> 'sflow' }, );

nfsen will then start up sfcapd instead of nfcapd.

Nick

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Nick Hilliard 
Nick Cutting wrote:
> Doesn't look like sflow daemon supports the -s sampling tag.
> 
> %sources = (
> 'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 
> 'netflow', 'optarg' => ' -s -1000 '},
> );

yes, that's correct.  The sflow sampling rate is specified in each sflow
packet, so there is no need to specify it on the collector - it's
automatically detected on a per-packet basis.

This is a working config on a small site (albeit a different sflow agent
platform, but that won't make any difference):

> %sources = (
> 'rtr01' => { 'port' => '2055', 'col' => '#ff', 'type' => 'sflow' 
> },
> 'rtr02' => { 'port' => '2056', 'col' => '#00ff00', 'type' => 'sflow' 
> },
> );

nfsen will then start up sfcapd instead of nfcapd.

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Nick Hilliard 
Nick Cutting wrote:
> sflow sampling-rate 4096 <-- this is 512?

that means that out of every 4096 packets received on an interface, one
will be punted to the sflow collector.  You can check the hardware
sampling rate using the PortSampRate command in the broadcom shell, like
this:

> n3k# test hardware internal bcm-usd bcm-diag-shell
> Available Unit Numbers: 0
> bcm-shell.0> PortSampRate
>  xe0: ingress: 1 out of 4096 packets, egress: 1 out of 4096 packets,
>  xe1: ingress: 1 out of 4096 packets, egress: 1 out of 4096 packets,
[...]

Sflow sampling is handled in hardware and is reasonably accurate on the
broadcom chipset.

If you're seeing ~2x the number of packets, bear in mind that nxos
samples in both directions with no option for only ingress or only
egress.  There is no good reason for having this limitation, because
it's trivial to modify in using the bcm-shell with the portsamprate
command, and the lack of ability to specify the sampling direction makes
the sflow functionality on this operating system pretty useless.

Nick
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Nick Cutting 
This was an example I took from the nfsen forums - it is a negative value.

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Justin 
M. Streiner
Sent: Monday, August 28, 2017 3:32 PM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

Wouldn't the syntax be "-s 1000", rather than "-s -1000"?

jms

On Mon, 28 Aug 2017, Nick Cutting wrote:

> So as usual -  my netflow routers are coming up with the correct size data in 
> nfsen, but sFlow is about 2.5 times as much traffic.
>
> Does anyone have a cisco sflow config that works with nfsen - sampling rate 
> etc?
>
> sflow sampling-rate 4096 <-- this is 512?
> sflow max-sampled-size 128
> sflow counter-poll-interval 30
> sflow  max-datagram-size 1400
> sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx sflow 
> collector-port 6343 sflow agent-ip xx.xx.xx.xx no sflow extended 
> switch
>
> Then in nfsen - here:
>
> Doesn't look like sflow daemon supports the -s sampling tag.
>
> %sources = (
>'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 
> 'netflow', 'optarg' => ' -s -1000 '}, );
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Aaron Gould
> Sent: Sunday, August 6, 2017 1:46 AM
> To: 'Phil Mayers' <p.may...@imperial.ac.uk>; cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] nfSen / nfDump
>
> netflow
>
> -Original Message-
> From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf 
> Of Phil Mayers
> Sent: Friday, August 4, 2017 3:08 AM
> To: cisco-nsp@puck.nether.net
> Subject: Re: [c-nsp] nfSen / nfDump
>
> On 03/08/17 22:53, Aaron Gould wrote:
>> I do 1/512 sample rate on my asr9k's and usually multiple numbers 
>> gathered in nfsen by 512 to normalize
>
> sflow? Or netflow?
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Justin M. Streiner 

Wouldn't the syntax be "-s 1000", rather than "-s -1000"?

jms

On Mon, 28 Aug 2017, Nick Cutting wrote:


So as usual -  my netflow routers are coming up with the correct size data in 
nfsen, but sFlow is about 2.5 times as much traffic.

Does anyone have a cisco sflow config that works with nfsen - sampling rate etc?

sflow sampling-rate 4096 <-- this is 512?
sflow max-sampled-size 128
sflow counter-poll-interval 30
sflow  max-datagram-size 1400
sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx
sflow collector-port 6343
sflow agent-ip xx.xx.xx.xx
no sflow extended switch

Then in nfsen - here:

Doesn't look like sflow daemon supports the -s sampling tag.

%sources = (
   'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 'netflow', 
'optarg' => ' -s -1000 '},
);

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron 
Gould
Sent: Sunday, August 6, 2017 1:46 AM
To: 'Phil Mayers' <p.may...@imperial.ac.uk>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

netflow

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil 
Mayers
Sent: Friday, August 4, 2017 3:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

On 03/08/17 22:53, Aaron Gould wrote:

I do 1/512 sample rate on my asr9k's and usually multiple numbers
gathered in nfsen by 512 to normalize


sflow? Or netflow?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-28 Thread Nick Cutting 
So as usual -  my netflow routers are coming up with the correct size data in 
nfsen, but sFlow is about 2.5 times as much traffic.

Does anyone have a cisco sflow config that works with nfsen - sampling rate etc?

sflow sampling-rate 4096 <-- this is 512?
sflow max-sampled-size 128
sflow counter-poll-interval 30
sflow  max-datagram-size 1400
sflow collector-ip xx.xx.xx.xx vrf default source xx.xx.xx.xx
sflow collector-port 6343
sflow agent-ip xx.xx.xx.xx
no sflow extended switch

Then in nfsen - here:

Doesn't look like sflow daemon supports the -s sampling tag.

%sources = (
'myRouter'  => { 'port' => '9901', 'col' => '#00ff00', 'type' => 'netflow', 
'optarg' => ' -s -1000 '},
);

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Aaron 
Gould
Sent: Sunday, August 6, 2017 1:46 AM
To: 'Phil Mayers' <p.may...@imperial.ac.uk>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

netflow

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil 
Mayers
Sent: Friday, August 4, 2017 3:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

On 03/08/17 22:53, Aaron Gould wrote:
> I do 1/512 sample rate on my asr9k's and usually multiple numbers 
> gathered in nfsen by 512 to normalize

sflow? Or netflow?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-17 Thread Ryan Gelobter 
You may want to checkout ntopng/nprobe if you haven't already. Depending on
the number of flows and features you need you may be able to use the
community/trial versions. If not I think the price is very reasonable for
what you get. (under $1k euro for both per year).

I got tired of having to deal with nfsen as a PHP application and the old
UI not really being user friendly. They are both rock solid though.

http://www.ntop.org/products/traffic-analysis/ntop/

On Tue, Aug 1, 2017 at 3:59 PM, Nick Cutting  wrote:

> Slightly off topic, however related to the solarwinds talks of last week.
>
> Just wondering what versions of nfSen and nfdump you fine people are
> running - and on what operating system, e.g debian / red hat etc.
>
> I understand Nfsen has not been updated since 2011 - is this a problem -
> or is it just that rocksteady?
>
> How comprehensive is the sFlow support - this is one reason we are moving
> away from solarwinds. (and we got rid of all our CaatOS gear - solarwinds
> was great at CatoS!)
>
> Any input greatly appreciated
>
> Nick Cutting
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-05 Thread Aaron Gould 
netflow

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Phil
Mayers
Sent: Friday, August 4, 2017 3:08 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

On 03/08/17 22:53, Aaron Gould wrote:
> I do 1/512 sample rate on my asr9k's and usually multiple numbers 
> gathered in nfsen by 512 to normalize

sflow? Or netflow?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-04 Thread Phil Mayers 

On 03/08/17 22:53, Aaron Gould wrote:

I do 1/512 sample rate on my asr9k's and usually multiple numbers gathered
in nfsen by 512 to normalize


sflow? Or netflow?
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-03 Thread Aaron Gould 
We run Nfsen 1.3.6

- Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of Nick
Cutting
Sent: Tuesday, August 1, 2017 4:00 PM
To: cisco-nsp@puck.nether.net
Subject: [c-nsp] nfSen / nfDump

Slightly off topic, however related to the solarwinds talks of last week.

Just wondering what versions of nfSen and nfdump you fine people are running
- and on what operating system, e.g debian / red hat etc.

I understand Nfsen has not been updated since 2011 - is this a problem - or
is it just that rocksteady?

How comprehensive is the sFlow support - this is one reason we are moving
away from solarwinds. (and we got rid of all our CaatOS gear - solarwinds
was great at CatoS!)

Any input greatly appreciated

Nick Cutting
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-03 Thread Aaron Gould 
I do 1/512 sample rate on my asr9k's and usually multiple numbers gathered
in nfsen by 512 to normalize

-Aaron

-Original Message-
From: cisco-nsp [mailto:cisco-nsp-boun...@puck.nether.net] On Behalf Of
Patrick Cole
Sent: Tuesday, August 1, 2017 6:17 PM
To: Nick Cutting <ncutt...@edgetg.com>
Cc: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] nfSen / nfDump

Nick,

Nfsen/nfdump is pretty rock solid.  I've been running it for many years
without too many dramas.  I use a combination of sflow / netflow within our
network.   The only issue I have is it seems to incorrectly show packet
rate for sflow but is fine with netflow (due to the 1 in 1024 sample rate
with sflow more than likely - there may be a fix I havn't spent a lot of
time on it)

PC

Tue, Aug 01, 2017 at 08:59:54PM +, Nick Cutting wrote:

> Slightly off topic, however related to the solarwinds talks of last week.
> 
> Just wondering what versions of nfSen and nfdump you fine people are
running - and on what operating system, e.g debian / red hat etc.
> 
> I understand Nfsen has not been updated since 2011 - is this a problem -
or is it just that rocksteady?
> 
> How comprehensive is the sFlow support - this is one reason we are 
> moving away from solarwinds. (and we got rid of all our CaatOS gear - 
> solarwinds was great at CatoS!)
> 
> Any input greatly appreciated
> 
> Nick Cutting
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

--
Patrick Cole <z...@wwwires.com>
Senior Network Specialist
World Without Wires
PO Box 869. Palm Beach, QLD, 4221
Ph:  0410 626 630
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] nfSen / nfDump

2017-08-01 Thread Patrick Cole 
Nick,

Nfsen/nfdump is pretty rock solid.  I've been running it for many years
without too many dramas.  I use a combination of sflow / netflow within our
network.   The only issue I have is it seems to incorrectly show packet
rate for sflow but is fine with netflow (due to the 1 in 1024 sample rate
with sflow more than likely - there may be a fix I havn't spent a lot of
time on it)

PC

Tue, Aug 01, 2017 at 08:59:54PM +, Nick Cutting wrote:

> Slightly off topic, however related to the solarwinds talks of last week.
> 
> Just wondering what versions of nfSen and nfdump you fine people are running 
> - and on what operating system, e.g debian / red hat etc.
> 
> I understand Nfsen has not been updated since 2011 - is this a problem - or 
> is it just that rocksteady?
> 
> How comprehensive is the sFlow support - this is one reason we are moving 
> away from solarwinds. (and we got rid of all our CaatOS gear - solarwinds was 
> great at CatoS!)
> 
> Any input greatly appreciated
> 
> Nick Cutting
> ___
> cisco-nsp mailing list  cisco-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

-- 
Patrick Cole 
Senior Network Specialist
World Without Wires
PO Box 869. Palm Beach, QLD, 4221
Ph:  0410 626 630
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/