Subject: Re: [Jkflow-users] measured traffic differs from other tools, am i missing something?
From: jurgen kobierczynski (jurgen.kobierczynski@pandora.be)
Date: Wed Apr 20 2005 - 17:03:37 CDT
Just a lucky guess: Is it possible that this discrepancy between cricket and netflow monitored traffic is caused by mpls switched traffic not reported by Netflow? Jurgen ----- Original Message ----- From: "Gustavo Rodrigues Ramos" <gustavo@acmesecurity.org> To: "Sven Juergensen" <sjuergensen@tng.de> Cc: <jkflow-users@lists.sourceforge.net>; <flowscan@net.doit.wisc.edu> Sent: Tuesday, April 19, 2005 3:57 PM Subject: Re: [Jkflow-users] measured traffic differs from other tools, am i missing something? > Hi all, > > It seens to me that there is some kind of "problem" inside flowscan and > not in any module (CUflow, CamposIO or JKFlow) itself. > > I'm copying this message to flowscan mailing-list. I hope they would > explain this much better (sorry about the cross-posting). > > Regards, > Gustavo. > > > Sven Juergensen wrote: > > hi people, > > > > on my quest for an adequate opensource netflow graphing/analyzing > > tool i stumbled across jkflow. so far so good, i think i got the > > configuration part down, but for some reason the graphs this module > > produces don't fit those created by cricket. here's the situation: > > > > 2 redundant core routers, several border routers located in germany, > > amsterdam and vienna. all of them talking to each other via bgp. the > > core routers have several networks connected to them and effectively > > eight different subnets would be considered local here, all of them > > could 'pass' this router. > > > > only one of the core routers is exporting netflows as of now. > > > > here's my simple configuration to measure the traffic that's for > > the 'internet' or 0.0.0.0/0 destination. > > > > http://nopaste.php-q.net/128728 > > > > two of the atm-subinterfaces on that router are connected different > > locations in germany each and carry all the traffic intended for the > > internet, so it could go through either of them. > > > > now the question is: > > > > the measured traffic is less than what cricket (another rrd-frontend) > > is displaying. not by a whole lot but about 2-3 mbit/s per direction > > seems to be missing. > > > > am i doing something wrong here, like misunderstanding a basic netflow > > concept or are those discrepancies considered normal because of neither > > method being entirely accurate? > > > > any help would be appreciated, i'm out of ideas pretty much. fiddled > > around with the 'all localsubnets' and also the two subinterfaces by > > index only but regardless of those changes, the traffic doesn't seem to > > be equal to the cricket value. > > > > thanks in advance, > > > > sven > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: New Crystal Reports XI. > > Version 11 adds new functionality designed to reduce time involved in > > creating, integrating, and deploying reporting solutions. Free runtime info, > > new features, or free trial, at: http://www.businessobjects.com/devxi/728 > > _______________________________________________ > > Jkflow-users mailing list > > Jkflow-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/jkflow-users > > > -- > Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body > Unsubscribe mailto:majordomo@net.doit.wisc.edu and say > "unsubscribe flowscan" in message body > Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/ > -- Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe flowscan" in message body Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
This archive was generated by hypermail 2b25 : Wed Apr 20 2005 - 17:10:24 CDT