Re: [j-nsp] cflowd / JunOS 5.1

From: Peter Phaal (Peter_Phaal@inmon.com)
Date: Wed Feb 13 2002 - 13:03:21 EST

Next message: David Liang: "[j-nsp] IGP Hitless restart features"
Previous message: Guy Davies: "RE: [j-nsp] two VPN sites and CCC"
Maybe in reply to: ARIF OKTAY: "[j-nsp] cflowd / JunOS 5.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

On Tue Feb 12 2002 - 10:30:14 EST, Przemyslaw Karwasiecki wrote:
>I have a problem I was alredy reporting to this group,
>but unfortunatelly got no answers.
>
>I am using Junos with:
> SAMPLED release 5.0R1.4 built by builder on 2001-08-14 22:55:55 UTC
>
>I am collecting flows on OC3 POS interface with 1:100 sampling with
>runlenghth 0.
>
>I don't understand how it is possible that majority of flow data,
>send by juniper to my cflowd, contains number of packets >1.
>
>I know from experience, when I sampled the same traffic on cisco
>box, with ratio 1:1, that majority of my flows contains no more
>then 10 packets.
>
>But juniper is supposed to sample 1:100 packets, so i understand,
>that it should never (or very rarely) see all packets which belongs
>to typical flow. I expected that netflow output from juniper will
>contain majority of flows with packet count == 1, becuase of
>1:100 ratio.
>
>How it can happen, that even when i am sampling only 1 packet in 100
>I still see all packets which belongs to a single flow????

Are you seeing ALL the packets belonging to an individual flow? If so then
there probably is a bug.

However, you would expect to see quite a few multi-packet flows after
sampling.

One effect of sampling is to eliminate a lot of the small flows. Most flows
under 100 packets in length will be missed altogether. Flows greater than
200 packets in length are likely to be sampled more than once. The overall
effect is that the measured ratio of long flows to short flows increases
with sampling rate. However, the results should be unbiased with respect to
number of packets since a significant fraction of packets occur in the long
duration flows.

There are a number of papers on sampling accuracy at <http://www.sflow.org/>
that you might find useful.

It is important to use "sampling-aware" applications when analyzing sampled
traffic data. The tools can report statistical variances so that you know
how accurate each measurement is. For example, suppose you are trying to get
the total traffic between two subnets, you want to get a result of the form:
<value> +/- <accuracy>
A value of 10GB +/- 50% is very different from a value of 10GB +/- 1%.

Peter
----------------------
Peter Phaal
InMon Corp.
Peter_Phaal@inmon.com

Next message: David Liang: "[j-nsp] IGP Hitless restart features"
Previous message: Guy Davies: "RE: [j-nsp] two VPN sites and CCC"
Maybe in reply to: ARIF OKTAY: "[j-nsp] cflowd / JunOS 5.1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:39 EDT