Re: netflow differs from snmp interface accounting

From: Christian Hammers (ch@westend.com)
Date: Wed Mar 07 2001 - 00:30:58 PST

  • Next message: Mark Manuel C. Ramos: "Re: netflow differs from snmp interface accounting"

    Hello list

    This might be of general interest.

    On Wed, Mar 07, 2001 at 11:03:43AM +0800, Mark Manuel C. Ramos wrote:
    ...
    > but when I calculated for the amount of traffic, it's still off.
    > e.g. snmp traffic is =~ 10 Mb/s but netflow traffic =~ 2.6 Mb/s. I think
    > cflow and netflow doing some magic eh :)

    I solved the riddle this week at least partially: SNMP accounts not only IP
    but also Layer#2 which is in case of routers normally HDLC for PRI leased lines
    and PPP for dialup connections or BRI leased lines.
    Cisco clearly states this in their SNMP FAQ, too, but sadly I cannot find
    any information how much the overhead is.

    I got packages with reproduceably 4 Bytes overhead and some with 10 Bytes.
    I measured the SNMP Counter, Netflow and my localhost's Ethereal simultaneously
    - the package counter was the same, the byte flow not.

    In addition SNMP counts various keep alive packeges, Cisco's CDP multicast
    packeges and whatever non-IP traffic is on the line, too.

    HTH

    bye,

     -christian-

    P.S.: Has anybody a good formular to calculate HDLC/PPP overhead?

    -- 
    Christian Hammers    WESTEND GmbH - Aachen und Dueren     Tel 0241/701333-0
    ch@westend.com     Internet & Security for Professionals    Fax 0241/911879
               WESTEND ist CISCO Systems Partner - Premium Certified
    --
    cflowd mailing list
    cflowd@caida.org
    



    This archive was generated by hypermail 2b29 : Wed Mar 07 2001 - 00:39:40 PST