[71730] in North American Network Operators' Group
Re: Netflow/flowscan
daemon@ATHENA.MIT.EDU (Per Gregers Bilse)
Tue Jun 22 07:30:48 2004
From: Per Gregers Bilse <bilse@networksignature.com>
Date: Tue, 22 Jun 2004 12:29:45 +0100
In-Reply-To: <10f379910406212310416e34c@mail.gmail.com>
To: andrew matthews <exstatica@gmail.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Jun 21, 11:10pm, andrew matthews <exstatica@gmail.com> wrote:
> Anyone ever done some major flowscan stuff?
Flowscan is perl, isn't it?
> We tried it once for a while and we had so much traffic our dual zeon
> 3.06ghz system couldn't keep up. The flows just started getting more
How much traffic do you have?
> and more behind... anyone ever succesfully graphed large amounts of
> data? If so what kind of systems did you use and what type of
> capture/processor layout did you have?
It's much more a question of the software than the hardware. We use
Athlons (and Opterons if necessary) for architectural reasons (much
better at the mboard level), but that doesn't matter. A single 3GHz
Intel processor can handle unsampled flow data from up to 10Gbps source
network traffic, but the software has to start with 'int main', not
"#!/usr/bin/perl" or "class virtualServlet" or some such.-)
You can't sample? Sampling is a much more scaleable solution than throwing
hardware at the problem. A lot of people fear they miss out on important
things if they sample, but unless you need bean counter accuracy you're
fine (ie, 99% accuracy is generally good enough).
Best,
-- Per
