Subject: Re: [Jkflow-users] measured traffic differs from other tools, am i missing something?
From: Gustavo Rodrigues Ramos (gustavo@acmesecurity.org)
Date: Wed Apr 20 2005 - 19:49:01 CDT
I'm using JKFlow and MRTG to watch my traffic and I'm seeing the same thing: about 3 mbit/s is missing in the flowscan/jkflow graphs. note: I haven't got mpls enabled in my network. Gustavo. jurgen kobierczynski wrote: > Just a lucky guess: Is it possible that this discrepancy between cricket and > netflow monitored traffic is caused by mpls switched traffic not reported by > Netflow? > > Jurgen > > ----- Original Message ----- > From: "Gustavo Rodrigues Ramos" <gustavo@acmesecurity.org> > To: "Sven Juergensen" <sjuergensen@tng.de> > Cc: <jkflow-users@lists.sourceforge.net>; <flowscan@net.doit.wisc.edu> > Sent: Tuesday, April 19, 2005 3:57 PM > Subject: Re: [Jkflow-users] measured traffic differs from other tools, am i > missing something? > > > >>Hi all, >> >>It seens to me that there is some kind of "problem" inside flowscan and >>not in any module (CUflow, CamposIO or JKFlow) itself. >> >>I'm copying this message to flowscan mailing-list. I hope they would >>explain this much better (sorry about the cross-posting). >> >>Regards, >>Gustavo. >> >> >>Sven Juergensen wrote: >> >>>hi people, >>> >>>on my quest for an adequate opensource netflow graphing/analyzing >>>tool i stumbled across jkflow. so far so good, i think i got the >>>configuration part down, but for some reason the graphs this module >>>produces don't fit those created by cricket. here's the situation: >>> >>>2 redundant core routers, several border routers located in germany, >>>amsterdam and vienna. all of them talking to each other via bgp. the >>>core routers have several networks connected to them and effectively >>>eight different subnets would be considered local here, all of them >>>could 'pass' this router. >>> >>>only one of the core routers is exporting netflows as of now. >>> >>>here's my simple configuration to measure the traffic that's for >>>the 'internet' or 0.0.0.0/0 destination. >>> >>>http://nopaste.php-q.net/128728 >>> >>>two of the atm-subinterfaces on that router are connected different >>>locations in germany each and carry all the traffic intended for the >>>internet, so it could go through either of them. >>> >>>now the question is: >>> >>>the measured traffic is less than what cricket (another rrd-frontend) >>>is displaying. not by a whole lot but about 2-3 mbit/s per direction >>>seems to be missing. >>> >>>am i doing something wrong here, like misunderstanding a basic netflow >>>concept or are those discrepancies considered normal because of neither >>>method being entirely accurate? >>> >>>any help would be appreciated, i'm out of ideas pretty much. fiddled >>>around with the 'all localsubnets' and also the two subinterfaces by >>>index only but regardless of those changes, the traffic doesn't seem to >>>be equal to the cricket value. >>> >>>thanks in advance, >>> >>>sven >>> >>> >>>------------------------------------------------------- >>>This SF.Net email is sponsored by: New Crystal Reports XI. >>>Version 11 adds new functionality designed to reduce time involved in >>>creating, integrating, and deploying reporting solutions. Free runtime > > info, > >>>new features, or free trial, at: > > http://www.businessobjects.com/devxi/728 > >>>_______________________________________________ >>>Jkflow-users mailing list >>>Jkflow-users@lists.sourceforge.net >>>https://lists.sourceforge.net/lists/listinfo/jkflow-users >> >> >>-- >>Help mailto:majordomo@net.doit.wisc.edu and say "help" in message > > body > >>Unsubscribe mailto:majordomo@net.doit.wisc.edu and say >>"unsubscribe flowscan" in message body >>Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/ >> -- Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe flowscan" in message body Archive http://net.doit.wisc.edu/~plonka/list/flowscan/archive/
This archive was generated by hypermail 2b25 : Wed Apr 20 2005 - 19:54:10 CDT