[j-nsp] sampling/cflowd question
Alex Rubenstein
alex at nac.net
Thu Nov 24 15:10:54 EST 2005
I am starting to play around with sampling/netflow on Juniper, and have
run into an interesting thing.
First off, my config:
sampling {
input {
family inet {
rate 1024;
run-length 5;
}
}
output {
file filename some-file size 5m;
cflowd x.x.x.x {
port 4200;
version 5;
local-dump;
autonomous-system-type origin;
}
}
}
I've homebrewed a collector, just for testing. I've then enabled sampling
on one interface on the above router, an interface I know the traffic on.
In the some-file, I am getting good stuff. All valid, it appears.
However, in the netflow packets, I am getting odd packets once in a while:
src ifindex: 0
dst ifindex: 4352
bytes : 354025472
src asn : 0
dst asn : 1
src ip : 8.53.121.140
dst ip : 8.53.121.140
or
src ifindex: 16
dst ifindex: 1536
bytes : 403505152
src asn : 0
dst asn : 1
src ip : 140.44.95.91
dst ip : 140.44.95.91
Perhaps 20 to 50% of the rec'd records are like that.
There is no ifindex as indicated above. 140.44.95.91 isn't even in our
routing table. Notice the size of the flow. Very odd. Observed in old 6.x
and new 7.x.
Thoughts?
--
Alex Rubenstein, AR97, K2AHR, alex at nac.net, latency, Al Reuben
Net Access Corporation, 800-NET-ME-36, http://www.nac.net
More information about the juniper-nsp
mailing list