[j-nsp] flow sampling: what packets are chosen?
Phil Sykes
phil at atdot.at
Wed Jul 24 13:10:36 EDT 2013
The sampling is more random - the probability of an individual packet being
sampled is 1/1000, but it's not exactly every 1000th packet, and every
linecard has an independent sampling engine.
A caveat on sample rate - some Juniper hardware (e.g. T-Series FPC3, MX960
DPC) will silently round that up to nearest 65535 / int(x), so pick
sampling rates like 8191, 4095 rather than 4000, 10000.
You can miss flows of any size - as the size of the flow increases, the
probability you will sample at least one packet from it increases, but
there are no guarantees.
Run-length appears to be unsupported on newer (e.g. MX3D MPC) hardware.
Regards,
Phil
On Tue, Jul 23, 2013 at 7:16 PM, chris r. <chricki at gmx.net> wrote:
> Hi guys,
>
> I'm using Juniper hardware to sample traffic and dump it to NetFlow
> data. In my config, the sampling rate is 1000, run-length is 0.
>
> According to the docs [1], this means that 1 out of 1000 packets per
> flow is sampled. Does this mean that *always* the first (1001st, 2001st,
> 3001st, ...) packet of a flow is included (as the figure in the docs
> suggests) or is the sampling more random?
>
> And if sampling is done more random: Can I miss flows due to packet
> sampling, e.g., if flows have fewer than 1000 packets?
>
> Thanks a lot for your help,
> Chris
>
> [1]:
>
> http://www.juniper.net/techpubs/software/junos/junos94/swconfig-policy/configuring-traffic-sampling.html#id-11354799
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list