[flow-tools] Lost Flows

[Mark Fullmer]

o Drops at the router.  Use 'sh ip flow-export' on Cisco's.  Also
  with Cisco look at the output drops on the interface pointing towards
  the collector.

o Drops in the network.  Happy hunting.

o Drops at the collector.  On *BSD use netstat -s | grep 'buf', look for
  '0 dropped due to full socket buffers'.  On Solaris I think it's
  'udpInOverflows'.  Not sure about Linux.

If the drops are at the collector try reducing compression on flow-capture.
With FreeBSD I use rtprio to give flow-capture a better chance.  On
older collectors (P166's) this helped a lot.

I wouldn't be too concerned about 30 lost flows per day, that's probably
only one packet.  Use -S5 with flow-capture to generate data
every 5 minutes to syslog with the packets received/dropped/etc counters.
This also works with flow-fanout as of 0.57.

Another possibility to helping with a busy collector is to tweak the
kernel to allocate more receive buffers.  See a posting from Jos Backus
a few days ago about this.

mark

On Tue, Apr 30, 2002 at 05:22:13PM -0500, Poetzel, Christopher J. wrote:
> Hello Everyone,
>  
> I wanted to touch on the topic of lost flows.
> My first question would be:
>  
> Are people losing flows, and if so, how many and often?
>  
> I am seeing lost flows from different routers multiple times over every day.
> The number of lost flows
> Are usually low like 30 or 100.  
>  
> When thinking of were this loss would occur, three places come to mind, the
> router/switch, during the delivery, or in the flow-tools software.
>  
> Before I drive into this mystery I thought I would pulse the group to see
> what thoughts or experiences are already out there.
>  
> Thanks 
>  
>  
> Chris Poetzel
> Argonne National Labratory
> Network Engineer
> CCNA
>  
> 630-252-7431
> cpoetzel@anl.gov
>