[c-nsp] Netflow reported utilization vs actual
Ian Cox
icox at cisco.com
Fri Sep 10 13:28:01 EDT 2004
At 11:42 AM 9/10/2004 -0500, Mark Borchers wrote:
> > -----Original Message-----
> >
> > Hi, folks. Should the reported utilization from netflow
> > flows be the
> > actual utilization on the interface? I have a 2620 exporting to Fedora
> > running flow-tools and CUGrapher, yet I notice that the aggregate
> > utilization reported is lower than reported from MRTG via SNMP. All up
> > interfaces excluding the Lo0 have been enabled for netflow...
> >
> > Any ideas?
> >
> > Rick Cheung
>
>
>I am also interested in seeing a rigorous answer to that
>question. It makes sense to me that the total flow volume
>would be less than aggregate measurements due to:
>1) Layer 2 overhead being ignored since netflow works at layer 3
>2) Retransmitted traffic not showing up in netflow stats (?)
>
>However, the gap between flow volume and aggregate volume that
>I have observed seems slightly larger than the above would
>account for.
The gap between netflow and SNMP can get very wide for small packets. Lets
take 40 byte IP packets through ethernet. The interface will report 64
bytes, netflow will report 40 bytes, there is a 24 bytes that netflow is
not reporting. Send 1,000,000 packets you get a large difference.
64,000,000 vs 40,000,000 bytes. On large packets the encapsulation is
smaller percentage of overall packet size so SNMP and netflow counters are
closer. With ethernet sending 40 byte IP, has ~37% different between SNMP
and Netflow reports with 1500 byte ethernet there is ~1.2% difference
between what is reported.
Ian
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list