RE: [j-nsp] cflowd sampling

From: Stephen Gill (gillsr@yahoo.com)
Date: Wed Nov 07 2001 - 16:38:41 EST

Next message: Przemyslaw Karwasiecki: "RE: [j-nsp] cflowd sampling"
Previous message: Przemyslaw Karwasiecki: "[j-nsp] cflowd sampling"
In reply to: Przemyslaw Karwasiecki: "[j-nsp] cflowd sampling"
Next in thread: Przemyslaw Karwasiecki: "RE: [j-nsp] cflowd sampling"
Reply: Przemyslaw Karwasiecki: "RE: [j-nsp] cflowd sampling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Unfortunately you are limited by a 100-Mbps bus b/n the RE and PFE
(fxp1). For this reason, the number of packets that you can sample is
limited, thus the need for telling the router what you really want to
classify as interesting. You can be as granular as you would like when
doing so, such as by sampling syn/fin packets, etc... Keep in mind that
there is a built in rate-limiting mechanism of 7000pps no matter how
much you may try to sample.

It will be difficult to measure a full flow (including ack packets) if
you cannot sample ALL traffic. As long as you stay within the built in
limitations of pps you can sample based on filters.

According to the docs on the 'run-length' flag: "Set the number of
samples following the initial trigger event, thus allowing you to sample
adjacent packets to those already being sampled." IE. A run-length of
0 will not sample any other packets in addition to the first one - this
is the behavior you have noticed.

You may also wish to visit the juniper-nsp archives for previous posts
on netflow here: http://puck.nether.net/lists/juniper-nsp/

Juniper has posted a relevant Whitepaper on accounting that you may find
useful here: http://www.juniper.net/techcenter/techpapers/200010.pdf

Cheers,
-- steve

> -----Original Message-----
> From: Przemyslaw Karwasiecki [mailto:karwas@ifxcorp.com]
> Sent: Wednesday, November 07, 2001 10:46 AM
> To: juniper-nsp@puck.nether.net
> Subject: [j-nsp] cflowd sampling
>
> All,
>
> I am looking for some more detail descriptions how traffic sampling
> really work.
>
> I have just setup cflowd with 'rate 100' 'and run-length 1',
> and the results given by cfdnexthops are far different from
> what I would expect. Specifically traffic reported by this utility
> is approximately 2% of traffic which is actually send over each
> of the next hops.
> Because of rate ratio and run-length, I would expect to see 1%
> of traffic to be reported.
>
> Also, cflowd is actually meant to work on flow data, and I don't
> understand how you can identify full flows, from SYN/ACK to FIN
> just by looking at every 100ths packet. Or I am missing something.
>
> Any help, pointers, suggestions, explanations will be greatly
appreciated.
>
> TIA,
>
> Przemek

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

Next message: Przemyslaw Karwasiecki: "RE: [j-nsp] cflowd sampling"
Previous message: Przemyslaw Karwasiecki: "[j-nsp] cflowd sampling"
In reply to: Przemyslaw Karwasiecki: "[j-nsp] cflowd sampling"
Next in thread: Przemyslaw Karwasiecki: "RE: [j-nsp] cflowd sampling"
Reply: Przemyslaw Karwasiecki: "RE: [j-nsp] cflowd sampling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT