netflow is correct but interface counters lie?!

From: Christian Hammers (ch@westend.com)
Date: Wed Feb 28 2001 - 05:49:36 PST

  • Next message: Saulius Riauba: "Re: cflowd-2-1-b1.tar.gz - tar: directory checksum error?"

    Hello list

    During the validation of our and caida's netflow software I checked against
    the interface counters of a cisco's Serial interface (using HDLC) and found
    that it does display "wrong" values. E.g.

      ping -c 1 -s 1 212.117.XXX.XXX

    should result in two packets, each 29 bytes long (20 IP + 8 ICMP + 1 Data).
    The SNMP interface statistics show me

      interfaces.ifTable.ifEntry.ifInOctets.3: 203460178 -> 203460211 (+33)
      interfaces.ifTable.ifEntry.ifOutOctets.3: 55086656 -> 55086689 (+33)
      interfaces.ifTable.ifEntry.ifInUcastPkts.3: 176971 -> 176972 (+1)
      interfaces.ifTable.ifEntry.ifOutUcastPkts.3: 139830 -> 139831 (+1)
      interfaces.ifTable.ifEntry.ifInNUcastPkts.3: 1283 -> 1283 (+0)
      interfaces.ifTable.ifEntry.ifOutNUcastPkts.3: 0 -> 0 (+0)
      interfaces.ifTable.ifEntry.ifInDiscards.3: 0 -> 0 (+0)
      interfaces.ifTable.ifEntry.ifOutDiscards.3: 0 -> 0 (+0)
      interfaces.ifTable.ifEntry.ifInErrors.3: 0 -> 0 (+0)
      interfaces.ifTable.ifEntry.ifOutErrors.3: 0 -> 0 (+0)

    This is 4 bytes to much. I encounter this +4 bytes with UDP packets, too.
    Does it measure HDLC, too? Can I get the raw IP Counter with snmp?
    Strangely this +4 rule cannot applied everytimes. Especially with TCP data
    I have varying values, even different delta values for input and output.
    Any help's appreciated!

    TIA & bye,

     -christian-
    :w

    -- 
    Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
    ch@westend.com     Internet & Security for Professionals    Fax 0241/911879
               WESTEND ist CISCO Systems Partner - Premium Certified
    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Wed Feb 28 2001 - 06:15:09 PST