[flow-tools] Version 8 Accuracy?
Darren Smith
data@barrysworld.com
Tue, 17 Dec 2002 11:29:17 -0000
This is a multi-part message in MIME format.
------=_NextPart_000_0061_01C2A5BF.88FB6AB0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi folks
Just a quick question to ask why my data is wildly inaccurate.
I'm using Cisco 7401 routers and the latest IOS, that was recommended by =
Cisco for netflow support.
I've been capturing data from 3 formats, Version5, Version 8.1 & Version =
8.2.
What i'm trying to work out is why the data varies so much, in terms of =
number of flows/octets/packets.
6104 -rw-r--r-- 1 netflow netflow 6236050 Dec 17 10:45 =
ft-v05.2002-12-17.103000+0000
6 -rw-r--r-- 1 netflow netflow 5655 Dec 17 10:45 =
ft-v08m01.2002-12-17.103001+0000
120 -rw-r--r-- 1 netflow netflow 106610 Dec 17 10:45 =
ft-v08m02.2002-12-17.103001+0000
All formats were recorded at the same time:
RESULTS - VERSION 8: PROTOCOL/PORT=20
flow-stat < ft-v08m02.2002-12-17.103001+0000
# --- ---- ---- Report Information --- --- ---
Total Flows : 10295
Total Octets : 120494986
Total Packets : 300716
Total Time (1/1000 secs) (flows): 76336528
Duration of data (realtime) : 892
Duration of data (1/1000 secs) : 2635936
Average flow time (1/1000 secs) : 7414.0000
Average packet size (octets) : 400.0000
Average flow size (octets) : 11704.0000
Average packets per flow : 29.0000
Average flows / second (flow) : 3.9070
Average flows / second (real) : 11.5415
Average Kbits / second (flow) : 365.8292
Average Kbits / second (real) : 1080.6725
VERSION 8: AS
flow-stat < ft-v08m01.2002-12-17.103001+0000
# --- ---- ---- Report Information --- --- ---
Total Flows : 8652
Total Octets : 107648685
Total Packets : 286225
Total Time (1/1000 secs) (flows): 27977956
Duration of data (realtime) : 896
Duration of data (1/1000 secs) : 2638076
Average flow time (1/1000 secs) : 3233.0000
Average packet size (octets) : 376.0000
Average flow size (octets) : 12442.0000
Average packets per flow : 33.0000
Average flows / second (flow) : 3.2798
Average flows / second (real) : 9.6562
Average Kbits / second (flow) : 326.4555
Average Kbits / second (real) : 961.1490
VERSION 5: ALL
flow-stat < ft-v05.2002-12-17.103000+0000
# --- ---- ---- Report Information --- --- ---
Total Flows : 324870
Total Octets : 5477546032
Total Packets : 8675132
Total Time (1/1000 secs) (flows): 2522453479
Duration of data (realtime) : 900
Duration of data (1/1000 secs) : 2715433
Average flow time (1/1000 secs) : 7764.0000
Average packet size (octets) : 631.0000
Average flow size (octets) : 16860.0000
Average packets per flow : 26.0000
Average flows / second (flow) : 119.6575
Average flows / second (real) : 360.9667
Average Kbits / second (flow) : 16140.0987
Average Kbits / second (real) : 48689.2976
I would have thought the values should have been similar? not identical =
perhaps due to the slight time differences...
Incidentally, there were 326 lost flows in the 'version5 export' and 0 =
lost flows in the other two.
Any help would be appreciated.
Regards
Darren Smith
Game Digital Ltd
------=_NextPart_000_0061_01C2A5BF.88FB6AB0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi folks</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Just a quick question to ask why my =
data is wildly=20
inaccurate.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I'm using Cisco 7401 routers and the =
latest IOS,=20
that was recommended by Cisco for netflow support.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I've been capturing data from 3 =
formats, Version5,=20
Version 8.1 & Version 8.2.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>What i'm trying to work out is why the =
data varies=20
so much, in terms of number of flows/octets/packets.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>6104 -rw-r--r-- 1 netflow =
netflow =20
6236050 Dec 17=20
10:45 ft-v05.2002-12-17.103000+0000<BR>6 &nbs=
p;=20
-rw-r--r-- 1 netflow netflow =20
5655 Dec 17 10:45 =20
ft-v08m01.2002-12-17.103001+0000<BR>120 -rw-r--r-- =20
1 netflow netflow 106610 Dec 17 10:45 =20
ft-v08m02.2002-12-17.103001+0000<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>All formats were recorded at the same=20
time:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>RESULTS - VERSION 8: PROTOCOL/PORT =
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>flow-stat <=20
ft-v08m02.2002-12-17.103001+0000<BR># --- ---- ---- Report =
Information ---=20
--- ---<BR></FONT><FONT face=3DArial size=3D2>Total=20
Flows &n=
bsp; =20
: 10295<BR>Total=20
Octets &=
nbsp; =20
: 120494986<BR>Total=20
Packets =
=20
: 300716<BR>Total Time (1/1000 secs) (flows): 76336528<BR>Duration of =
data =20
(realtime) : 892<BR>Duration of data (1/1000 =
secs) :=20
2635936<BR>Average flow time (1/1000 secs) : 7414.0000<BR>Average packet =
size=20
(octets) : 400.0000<BR>Average flow size=20
(octets) : 11704.0000<BR>Average packets =
per=20
flow : 29.0000<BR>Average =
flows /=20
second (flow) : 3.9070<BR>Average flows / second =
(real) =20
: 11.5415<BR>Average Kbits / second (flow) : =
365.8292<BR>Average=20
Kbits / second (real) : 1080.6725<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>VERSION 8: AS</FONT></DIV>
<DIV><FONT face=3DArial size=3D2> </DIV></FONT>
<DIV><FONT face=3DArial size=3D2>flow-stat <=20
ft-v08m01.2002-12-17.103001+0000<BR># --- ---- ---- Report =
Information ---=20
--- ---<BR></FONT><FONT face=3DArial size=3D2>Total=20
Flows &n=
bsp; =20
: 8652<BR>Total=20
Octets &=
nbsp; =20
: 107648685<BR>Total=20
Packets =
=20
: 286225<BR>Total Time (1/1000 secs) (flows): 27977956<BR>Duration of =
data =20
(realtime) : 896<BR>Duration of data (1/1000 =
secs) :=20
2638076<BR>Average flow time (1/1000 secs) : 3233.0000<BR>Average packet =
size=20
(octets) : 376.0000<BR>Average flow size=20
(octets) : 12442.0000<BR>Average packets =
per=20
flow : 33.0000<BR>Average =
flows /=20
second (flow) : 3.2798<BR>Average flows / second =
(real) =20
: 9.6562<BR>Average Kbits / second (flow) : =
326.4555<BR>Average=20
Kbits / second (real) : 961.1490<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>VERSION 5: ALL</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>flow-stat <=20
ft-v05.2002-12-17.103000+0000<BR># --- ---- ---- Report =
Information ---=20
--- ---<BR>Total=20
Flows &n=
bsp; =20
: 324870<BR>Total=20
Octets &=
nbsp; =20
: 5477546032<BR>Total=20
Packets =
=20
: 8675132<BR>Total Time (1/1000 secs) (flows): 2522453479<BR>Duration of =
data (realtime) : 900<BR>Duration of data =
(1/1000=20
secs) : 2715433<BR>Average flow time (1/1000 secs) : =
7764.0000<BR>Average=20
packet size (octets) : 631.0000<BR>Average flow size=20
(octets) : 16860.0000<BR>Average packets =
per=20
flow : 26.0000<BR>Average =
flows /=20
second (flow) : 119.6575<BR>Average flows / second=20
(real) : 360.9667<BR>Average Kbits / second =
(flow) :=20
16140.0987<BR>Average Kbits / second (real) :=20
48689.2976<BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I would have thought the values should =
have been=20
similar? not identical perhaps due to the slight time=20
differences...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Incidentally, there were 326 lost flows =
in the=20
'version5 export' and 0 lost flows in the other two.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any help would be =
appreciated.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Regards</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Darren Smith</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Game Digital =
Ltd</DIV></FONT></BODY></HTML>
------=_NextPart_000_0061_01C2A5BF.88FB6AB0--