Thread: [Nfdump-discuss] traffic total - discrepancy
netflow collecting and processing tools
Brought to you by:
phaag
From: Pedro T. <to...@po...> - 2009-04-28 17:08:24
|
Hi, I am using nfsen 1.3 and nfdump 1.5.7. My aggregate traffic measured with SNMP is ~1.3Gbps. When a look the traffic with nfsen, single timeslot, the detailed web statistics show: Statistics timeslot Apr 28 2009 - 13:20 Traffic: all: tcp: udp: icmp: other: all: tcp: udp: icmp: other: all: tcp: udp: icmp: other: portmirror 6.4 k/s 3.7 k/s 2.6 k/s 127.4 /s 0.6 /s 209.4 k/s 203.9 k/s 4.6 k/s 266.5 /s 631.5 /s 1.3 Gb/s 1.3 Gb/s 6.8 Mb/s 233.6 kb/s 2.6 Mb/s Ok, I can see 1.3Gb/s of all traffic but when I process the report below the summary is 891.0Mb/s. Why does the aggregate is not 1.3Gb/s? Is the time window right? nfdump -M /storage/nfsen/profiles-data/live/portmirror -T -r 2009/04/28/nfcapd.200904281320 -n 500 -s if/bytes nfdump filter: any Top 500 In/Out If ordered by bytes: Date first seen Duration Proto In/Out If Flows Packets Bytes pps bps bpp 2009-04-28 13:17:58.205 419.769 any 65488 927937 32.1 M 35.6 G 80231 695.7 M 1136 2009-04-28 13:17:58.120 419.852 any 54256 985943 27.8 M 10.0 G 69400 195.4 M 369 Summary: total flows: 1913880, total bytes: 45.7 G, total packets: 59.9 M, avg bps: 891.0 M, avg pps: 149614, avg bpp: 780 Time window: 2009-04-28 13:17:58 - 2009-04-28 13:24:57 Total flows processed: 1913880, Records skipped: 0, Bytes read: 99523188 Sys: 0.680s flows/second: 2814355.6 Wall: 0.849s flows/second: 2253654.5 -- Pedro |
From: Pedro T. <to...@po...> - 2009-04-30 21:26:35
|
> Ok, I can see 1.3Gb/s of all traffic but when I process the report below > the summary is 891.0Mb/s. Why does the aggregate is not 1.3Gb/s? Is the > time window right? I think it is not a bug but a behavior. The flows has a maximum lifetime of 120 seconds (to be expired). Due this the flows duration in a five minutes file can start 2 minutes ago. I can live with that. -- Pedro |
From: Rune S. <run...@un...> - 2009-05-07 12:51:51
|
I'm writing a backend plugin for nfsen and discovered a small documentation bug at http://nfsen.sourceforge.net/PluginGuide/plugin-guide.html: The plugin May access its parameters as: use NfConf; my $conf = $NfConf::Pluginconf{demoplugin}; ^ my $param1 = $$conf{'param1'}; # $param1 => 42 my $param2 = $$conf{'param2'}; # $$param2{'key'} => 'value' Should be a capital 'C' in PluginConf. Irritating thing when using cut'n paste! ;-) Regards, Rune Sydskjør, UNINETT |