Re: Sudden dip in traffic

From: Martin van den Nieuwelaar (martin@gadgets.co.nz)
Date: Tue Jul 24 2001 - 13:15:31 PDT

Next message: Jeffrey Papen: "Re: Cat6k-MSFC2 and netflow"

Previous message: Olney, Matthew: "Sudden dip in traffic"
In reply to: Olney, Matthew: "Sudden dip in traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Matt,

I would suggest checking the flow of Netflow Exports into the
collector. The problem may be upstream of the collector, and so it's
worth eliminating this possibility. If you run some utility like
tcpdump (also on the collector), you can get a rough idea of the
number of flows coming in. Something like "tcpdump 'udp port 2055'
>some_file" (untested) should pick up Netflow Exports on the default port. After collecting for some time you should have enough data to run through a simple Perl script that counts up and displays the number of bytes for each 5 minute period.

If your collector is too busy to handle the extra load the tcpdump
introduces, and you are forced to run it on a different machine on the
same LAN, remember that switches usually send traffic only to the one
port the traffic is destined for. :-)

Hope this helps,

-Martin

"Olney, Matthew" wrote:
>
> All,
>
> I am collecting data from three Cisco 7206s. When I first kick off
> cflowdmux and cflowd, they gather files of about 27 Mb over 5 minutes. I'm
> using the flowscan patched version, so I'm dropping 5 minute datafiles.
> When it first begins, flowscan takes about 3 minutes to process the data.
> After about 30 minutes, there is an abrupt drop in data...there is still
> some data flowing, but very, very little. It then takes 20 seconds for the
> flowscan application to process the data. This drop is evident both in the
> graphs produced by flowscan, the time flowscan takes to process the 5 minute
> files, and the size of the 5 minute files. Because the 5 minute file size
> is small, I'm thinking there is a problem with the cflow set of programs.
>
> I am using cflowd-2-1-b1, on FreeBSD 4.3. This is the second box I've tried
> this on, both with the same sudden drop in traffic.
>
> Does anyone have any idea what is going on with this. Let me know if there
> is other information I can provide.
>
> Thanks,
>
> Matt
> --
> cflowd mailing list
> cflowd@caida.org

-- 
E-Mail: martin@gadgets.co.nz
Expert traffic analysis and visualisation
xenaphobia: The fear of being beaten to a pulp by
a leather-clad, New Zealand woman
--
cflowd mailing list
cflowd@caida.org

Next message: Jeffrey Papen: "Re: Cat6k-MSFC2 and netflow"
Previous message: Olney, Matthew: "Sudden dip in traffic"
In reply to: Olney, Matthew: "Sudden dip in traffic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Tue Jul 24 2001 - 13:27:54 PDT