Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sampling rate changed unexpectedly #7

Closed
dbpalan opened this issue Jan 21, 2016 · 1 comment
Closed

Sampling rate changed unexpectedly #7

dbpalan opened this issue Jan 21, 2016 · 1 comment

Comments

@dbpalan
Copy link

dbpalan commented Jan 21, 2016

Our Juniper MX router installed a jflow card to capture 1:1 netflow and send to nfdump 1.6.12. After first few minutes (about 2 to 5 minutes), the "Packets" and "Bytes" counts of the flow records are multiplied by 2, e.g. from "1 packet 40 bytes" to "2 packets 80 bytes". tcpdump confirm the traffic were multiplied.

Since the change occurred after few minutes, many "template" packets has been received. I think the sampling rate change would not be due to sampling rate reported. Please correct me if I was wrong.

The problem can be workaround by enforce nfcapd sampling rate (with parameter -s -1).

Below is the nfdump output showing first 11 lines of correct dump while lines after are multiplied by 2.

Date first seen          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos  Packets    Bytes      pps      bps    Bpp Flows
2016-01-11 09:38:08.173     0.000 TCP       74.101.184.1:21317 ->      74.240.202.66:443   .A...F  48        1       40        0        0     40     1
2016-01-11 09:38:07.518     0.006 TCP       74.101.184.1:42478 ->      74.240.202.33:80    .A..SF  48        3      124      500   165333     41     1
2016-01-11 09:36:18.101    90.002 RSVP       74.83.63.32:0     ->      74.83.63.12:0     ...... 192          3      792        0       70    264     1
2016-01-11 05:18:13.186 15584.096 TCP        74.83.63.32:50455 ->      74.83.63.12:646   .AP... 224         16      976        0        0     61     1
2016-01-11 09:37:05.969     0.005 TCP       74.101.184.1:34445 ->      74.240.202.33:8443  .A..S.  48        2       84      400   134400     42     1
2016-01-11 09:36:13.831   103.997 RSVP       74.83.63.51:0     ->      74.83.63.11:0     ...... 192          5     1320        0      101    264     1
2016-01-11 09:37:05.622     0.013 TCP       74.101.184.1:41270 ->      74.240.202.66:443   .A....  48        2       80      153    49230     40     1
2016-01-11 09:37:06.559     0.021 TCP       74.101.184.1:34422 ->      74.240.202.34:443   .A..S.  48        3      124      142    47238     41     1
2016-01-11 09:37:06.405     0.007 TCP     74.101.184.250:48462 ->      74.240.202.66:443   .A..S.  48        2      112      285   128000     56     1
2016-01-11 09:38:08.023     0.000 TCP       74.101.184.1:42517 ->      74.240.202.34:443   .A...F  48        1       40        0        0     40     1
2016-01-11 09:38:08.008     0.000 TCP       74.101.184.1:42504 ->      74.240.202.74:443   .A...F  48        1       40        0        0     40     1
2016-01-11 09:37:06.467     0.008 TCP       74.101.184.1:34408 ->      74.240.202.70:443   .A..S.  48        2       84      250    84000     42     1
2016-01-11 09:38:07.976     0.006 TCP       74.101.184.1:20962 ->      74.240.202.33:8443  .A..SF  48        2       84      333   112000     42     1
2016-01-11 09:38:05.290     0.000 TCP       74.101.184.1:49182 ->      74.240.202.33:8443  .A...F  48        4      160        0        0     40     1
2016-01-11 09:37:06.448     0.000 TCP       74.101.184.1:12834 ->      74.240.202.34:443   ....S.  48        2       88        0        0     44     1
2016-01-11 09:37:06.668     0.011 TCP       74.101.184.1:41646 ->      74.240.202.33:80    .A....  48        4      160      363   116363     40     1
2016-01-11 09:38:08.994     0.009 TCP       74.101.184.1:42892 ->      74.240.202.66:443   .A..SF  48        6      248      666   220444     41     1
2016-01-11 09:38:09.789     0.000 TCP       74.101.184.1:49415 ->      74.240.202.66:443   .A...F  48        2       80        0        0     40     1
2016-01-11 09:38:13.044     0.009 TCP       74.101.184.1:43175 ->      74.240.202.70:443   .A..SF  48        6      248      666   220444     41     1
2016-01-11 09:38:07.977     0.000 TCP       74.101.184.1:42502 ->      74.240.202.70:443   .A...F  48        4      160        0        0     40     1
2016-01-11 09:38:10.031     0.000 TCP       74.101.184.1:49678 ->      74.240.202.70:443   .A...F  48        2       80        0        0     40     1
@phaag
Copy link
Owner

phaag commented May 7, 2016

Actually it looks to e as your device announces a sampling rate after a few minutes, which is not correct.
nfcapd keeps sampling rate 1 unless otherwise announced or overwritten by -s -(n)

@phaag phaag closed this as completed May 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbpalan @phaag