Re: [Nfsen-discuss] Quick question on packet counts
Netflow visualisation and investigation tool
Brought to you by:
phaag
From: Peter H. <ph...@us...> - 2012-08-14 11:18:16
|
Hi Aaron, On 13/8/12 6:22 PM, Aaron Mayfield wrote: > I have recently started using NFSen and have found it very helpful. I am confused by one aspect that I am trying to understand. I am exporting sflow from Brocade CER routers to NFSen. > > When I list the flows using various criteria, the packet count is almost always 2048: > > > Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows > ** nfdump -M /opt/nfsen/profiles-data/live/kc-gateway2:kc-gateway1 -T -r 2012/08/13/nfcapd.201208131030 -c 100 > nfdump filter: > proto TCP > and port 80 > Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows > 2012-08-13 10:30:01.087 0.000 TCP 205.158.21.133:7608 -> 188.77.80.212:80 2048 143360 1 > 2012-08-13 10:30:03.274 0.000 TCP 69.46.39.45:80 -> 188.77.82.99:10190 2048 3.1 M 1 > 2012-08-13 10:30:04.323 0.000 TCP 173.227.73.11:57759 -> 188.77.82.5:80 2048 3.1 M 1 > 2012-08-13 10:30:06.443 0.000 TCP 37.152.35.146:51603 -> 144.120.106.200:80 2048 3.0 M 1 > 2012-08-13 10:30:11.458 0.000 TCP 188.77.82.211:17506 -> 66.129.99.105:80 2048 735232 1 > 2012-08-13 10:30:15.854 0.000 TCP 188.77.82.62:80 -> 108.162.231.67:62325 2048 3.1 M 1 > 2012-08-13 10:30:15.854 0.000 TCP 50.63.136.26:80 -> 188.77.80.102:57781 2048 1.3 M 1 > 2012-08-13 10:30:16.459 0.000 TCP 108.162.231.67:62325 -> 188.77.82.62:80 2048 143360 1 > 2012-08-13 10:30:24.397 0.000 TCP 188.77.82.231:80 -> 161.130.18.74:2216 2048 2.9 M 1 > 2012-08-13 10:30:26.512 0.000 TCP 188.77.82.62:80 -> 173.245.55.25:64903 2048 3.1 M 1 > 2012-08-13 10:30:27.065 0.000 TCP 173.245.55.25:48851 -> 188.77.82.62:80 2048 143360 1 > 2012-08-13 10:30:30.242 0.000 TCP 188.77.82.231:80 -> 24.171.62.218:1955 2048 3.1 M 1 > 2012-08-13 10:30:30.771 0.000 TCP 188.77.82.5:80 -> 64.132.190.14:3395 2048 731136 1 > 2012-08-13 10:30:37.796 0.000 TCP 144.120.106.200:80 -> 89.242.6.248:64535 2048 118784 1 > > I assume this had something to do with the fact that by default the Brocades are by default sampling 1 out of every 2048 packets and therefore only seeing 1 packet out of most of these short lived flows. > > Is this assumption correct? Is nfdump just estimating that a flow is going to have a minimum of 2048 packets as a result? Yes - that's correct. sfcapd estimates the real packet number by multiplying the packet count by the sampling rate. > > Is there anyone else running sflow out there? What sampling rates do you use? > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > Nfsen-discuss mailing list > Nfs...@li... > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :) |