[j-nsp] sampling/cflowd question

Thu Nov 24 16:44:53 EST 2005

On Thu, Nov 24, 2005 at 03:10:54PM -0500, Alex Rubenstein wrote:
> 
> I am starting to play around with sampling/netflow on Juniper, and have 
> run into an interesting thing.
> 
> First off, my config:
> 
> sampling {
>      input {
>          family inet {
>              rate 1024;
>              run-length 5;
>          }
>      }
>      output {
>          file filename some-file size 5m;
>          cflowd x.x.x.x {
>              port 4200;
>              version 5;
>              local-dump;
>              autonomous-system-type origin;
>          }
>      }
> }

Unrelated, but you probably want a rate that is a round number (divisible 
by the run-length). Your current settings would require you to multiply 
the data by 204.8 to get back to your original data. :)

> I've homebrewed a collector, just for testing. I've then enabled sampling 
> on one interface on the above router, an interface I know the traffic on.
> 
> In the some-file, I am getting good stuff. All valid, it appears.
> 
> However, in the netflow packets, I am getting odd packets once in a while:
> 
> src ifindex:  0
> dst ifindex:  4352
> bytes      :  354025472
> src asn    :  0
> dst asn    :  1
> src ip     : 8.53.121.140
> dst ip     : 8.53.121.140
> 
> or
> 
> src ifindex:  16
> dst ifindex:  1536
> bytes      :  403505152
> src asn    :  0
> dst asn    :  1
> src ip     : 140.44.95.91
> dst ip     : 140.44.95.91
> 
> Perhaps 20 to 50% of the rec'd records are like that.
> 
> There is no ifindex as indicated above. 140.44.95.91 isn't even in our 
> routing table. Notice the size of the flow. Very odd. Observed in old 6.x 
> and new 7.x.

I'd check your collector code first, are you certain your alignment is 
correct for packets which contain multiple flows?

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)