RE: packet sampling flow export (was "Re: Juniper cflowd")

From: Mark Borchers (mborchers@splitrock.net)
Date: Mon Nov 13 2000 - 06:50:17 PST

  • Next message: Luong Tang: "cflowdmux not collecting data, with no error messages"

    The advice I received was that a sampling rate of 1 will cause
    all packets to be sampled, but that Juniper doesn't recommend
    it with their high speed SONET interfaces. We're probably going
    to use 1000 or 10,000, and then just apply a factor to the
    reduced data if we need an approximation of absolute data flow
    volumes.

    > -----Original Message-----
    > From: Dave Plonka [mailto:plonka@doit.wisc.edu]
    > Sent: Saturday, November 11, 2000 3:11 PM
    > To: cflowd@caida.org; flowscan@net.doit.wisc.edu
    > Cc: Mark Borchers; jtk@aharp.is-net.depaul.edu
    > Subject: packet sampling flow export (was "Re: Juniper cflowd")
    >
    >
    > On Fri, Nov 10, 2000 at 08:17:58AM -0600, Mark Borchers wrote:
    > > According to a Juniper engineer, the records exported by
    > > their routers are exactly the same a Cisco Netflow export
    > > messages.
    > >
    > > You can control the rate at which traffic is sampled under
    > > "forwarding-options sampling input family inet rate"
    >
    > This sounds like the equivalent of the IOS packet sampling on
    > the Cisco
    > GSR:
    >
    > ip route-cache flow sampled
    > ip flow-sampling-mode packet-interval <value>
    >
    > In JUNOS, is it possible to configure it to sample every packet for
    > version 5 flow export? (I may be able to experiment with
    > FlowScan with
    > flows from a Juniper M20 later this month...)
    >
    > Recent experimentation that a colleague has been doing with a GSR with
    > OC48 POS interfaces, running 12.0(13.3)S, shows that the most frequent
    > sampling rate he can select for the OC48 POS interface is 1 packet in
    > 10.
    >
    > I'm curious about all this because it will influence how we
    > post-process the flow data w/cflowd and other tools.
    >
    > For instance, some of FlowScan's CampusIO report application detection
    > expects to be seeing every packet in the flow records, so I
    > may need to
    > loosen up some of the rules in FlowScan if the flows are based on
    > packet sampling. Also, the resulting graphs need to be scaled
    > accordingly (and labeled as "estimates" based on sampling, so I
    > probably need to introduce another RRD that stores the sampling rate.
    >
    > Anyone know if the current sampling rate (on the Cisco or Juniper) is
    > available via SNMP?
    >
    > Thanks,
    > Dave
    >
    > --
    > plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka
    > ARS:N9HZF Madison, WI
    >

    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Mon Nov 13 2000 - 07:23:38 PST