[Nfdump-discuss] Re: [Nfsen-discuss] nfdump 1.4.1 update
netflow collecting and processing tools
Brought to you by:
phaag
Menu
▾
▴
[Nfdump-discuss] Re: [Nfsen-discuss] nfdump 1.4.1 update
|
From: Wim B. <wim...@su...> - 2005-11-21 13:26:51
|
Hello Peter, On Mon, Nov 21, 2005 at 09:40:13AM +0100, Peter Haag wrote: > I'm aware of that. Please bear with me. Multiple streams on a single port > will be supported. But I'm not sure if this feature will make it for 1.5. Oeps. That was not the intention of my remark. Actually I just started to change our setup. Hopefully I will receive the flow from every router on a different port. No need to hurry ;-) > If it were related to this change, the first value, which had overflowed > was bbs, as bytes is multiplied by 8 to get bits. Other values overflowed > only when running stats over a large time window - let's say a day or so. > But .. > As far as I know, your backbone does sampling for collecting netflow data. Correct 1:100 > This means you only see the sampled statistics. Quite frankly - I have no > experiance with evaluating sampled data. I don't know, if you simply can > multiply the stats with the sampling rate - and how accurate this is. > Maybe someone else can shed some light here. Actually I'm not sure myself. But I have the impression multiplying the current Bits/s rate by 100 would yield too much traffic. > I missed that in the INSTALL file. I'm sorry for that. However, I thought > I had put that on this list. Obviously I forgot - again sorry for that No problem! In the end it just works fine. :-) Just a minor suggestion for the next release of PortTracker. > Hmm .. be sure, you look at the current timeslot in the PortTracker and not > the 24h. These numbers are not yet scaled. Still a lot of work to do here ... > If you stiil see this behaviour in 1.4.1, the something is wrong. I'm not sure if I understand. My live profile shows currently a peak at 150 M Bits/s. At a certain time. When I look at the picture. Around the same time TCP Bytes for port 80 is 300 M Bytes. I would expect I could compare those numbers. (the radio button is "now", not "24 hours"). If this has something to do with sampling I expect the PortTracker numbers would also be lower. > No - I have no PorTracker runnig on solaris. Maybe I find a machine to check > that. I'd appreciate, if you could compile nftrack with -g, and no -O2, enable > coredumps and run nftrack with the same command line options, and then please > send me a coredump file for further analysis. I just did that on one system. Will do the same later on the other system. Will let you know when I have some results. > What version of rrdtool are you using? 1.2.11 with your patch. I also tried the Development SnapShots but I didn't had much success with those. Although more likely I stopped nfsen at a moment when it locks the profile. So it doesn't update the profile after a restart and I panic ;-) Cheers, -Wim |