Subject: Re: [Jkflow-users] measured traffic differs from other tools, am i missing something?
From: Gustavo Rodrigues Ramos (gustavo@acmesecurity.org)
Date: Tue Apr 19 2005 - 08:57:14 CDT
Hi all, It seens to me that there is some kind of "problem" inside flowscan and not in any module (CUflow, CamposIO or JKFlow) itself. I'm copying this message to flowscan mailing-list. I hope they would explain this much better (sorry about the cross-posting). Regards, Gustavo. Sven Juergensen wrote: > hi people, > > on my quest for an adequate opensource netflow graphing/analyzing > tool i stumbled across jkflow. so far so good, i think i got the > configuration part down, but for some reason the graphs this module > produces don't fit those created by cricket. here's the situation: > > 2 redundant core routers, several border routers located in germany, > amsterdam and vienna. all of them talking to each other via bgp. the > core routers have several networks connected to them and effectively > eight different subnets would be considered local here, all of them > could 'pass' this router. > > only one of the core routers is exporting netflows as of now. > > here's my simple configuration to measure the traffic that's for > the 'internet' or 0.0.0.0/0 destination. > > http://nopaste.php-q.net/128728 > > two of the atm-subinterfaces on that router are connected different > locations in germany each and carry all the traffic intended for the > internet, so it could go through either of them. > > now the question is: > > the measured traffic is less than what cricket (another rrd-frontend) > is displaying. not by a whole lot but about 2-3 mbit/s per direction > seems to be missing. > > am i doing something wrong here, like misunderstanding a basic netflow > concept or are those discrepancies considered normal because of neither > method being entirely accurate? > > any help would be appreciated, i'm out of ideas pretty much. fiddled > around with the 'all localsubnets' and also the two subinterfaces by > index only but regardless of those changes, the traffic doesn't seem to > be equal to the cricket value. > > thanks in advance, > > sven > > > ------------------------------------------------------- > This SF.Net email is sponsored by: New Crystal Reports XI. > Version 11 adds new functionality designed to reduce time involved in > creating, integrating, and deploying reporting solutions. Free runtime info, > new features, or free trial, at: http://www.businessobjects.com/devxi/728 > _______________________________________________ > Jkflow-users mailing list > Jkflow-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/jkflow-users -- Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe flowscan" in message body Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
This archive was generated by hypermail 2b25 : Tue Apr 19 2005 - 09:03:48 CDT