[88485] in North American Network Operators' Group
Re: Interesting netflow entry
daemon@ATHENA.MIT.EDU (Bill Nash)
Tue Feb 7 14:21:11 2006
Date: Tue, 7 Feb 2006 14:13:18 -0500 (EST)
From: Bill Nash <billn@odyssey.billn.net>
To: "Christopher L. Morrow" <christopher.morrow@verizonbusiness.com>
Cc: Wil Schultz <wschultz@wilcomm.net>, nanog@nanog.org
In-Reply-To: <Pine.GSO.4.58.0602071832370.23094@marvin.argfrp.us.uu.net>
Errors-To: owner-nanog@merit.edu
On Tue, 7 Feb 2006, Christopher L. Morrow wrote:
>>
>> Are you sure you're getting everything?
>
> he did previously state he was only using about 120mbps... and it'd depend
> upon his/your sample rates as well...
Missed that part. Even so, 120mbps of actual usage, I would expect to see
a higher volume. Sampling would definitely bring this down a bit, but for
a volume that small, why bother sampling? You'll miss too much.
One problem I had while checking out various packages, flow-tools
specifically, is that some can't handle differing flow versions. Also,
flow generation from a routing-capable 6509 is configured in two different
places, so the potential to lose flow traffic due to poor documentation
(of both the collector and the generator) definitely exists. Flow-tools
picks which version it processes based on the version of the first flow
packet it receives, and then discards all else.
- billn
