netflow and snmp data.

Unanswered Question
Feb 24th, 2009

Dear all.


our coustomer site runs a netflow application.


There application has seen netflow traffice and snmp traffic.


I know that snmp traffic big more than netflow data.


But our customer want similarly to see both data.


So I found that netflow sampling.


Does any one know about


netflow sampling method can do it?


point:


1.I want to know that

netflow traffic and snmp traffic are similirly to see.


2.Does netflow sampling can to resize netflow traffic?


Thank again







  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 02/25/2009 - 00:30

Hello Young,

netfow sampling had been introduced to allow to monitor netflow flows with a reduced performance penalty.


The reasoning is that long life flows should tracked even if only one packet of N is diverted to the neflow engine.


Normal N used is 10 to 1000.


Short life flows like a DNS request can be missed but the general picture should reasonably be enough accurate for traffic engineering purposes.


The target for Netflow sampling are the linecards of very high end routers like GSR (12000).


Later, a different sampling method for software based routers has been introduced called random sampling


see


http://www.cisco.com/en/US/docs/ios/netflow/configuration/guide/ios_netflow_roadmap_ps6350_TSD_Products_Configuration_Guide_Chapter.html



With netflow sampling netflow data and SNMP data become even more different.


To compare data you need to multiply to the sampling factor N and then you may need to convert traffic volumes expressed in bytes to average bit rates (as the ones expressed using SNMP MIB variables by MRTG or other monitoring tools).

For doing this you need to know the time window in which netflow data traffic has been aggregated.

The sum of all Netflow flows should be near to the SNMP data on the interface.


Some years ago when I did my first tests on Netflow I did test labs and I compared netflow data and SNMP MIBs with good results in those simple tests with standard Netflows they matched exactly.

This is something you could do for the customer to convince them on the accuracy of netflow data.


Hope to help

Giuseppe


Leeyoungsoo Wed, 02/25/2009 - 01:13

Dear


I really thank you to explain to me.


As you know my english very poor


so Can you explain to me once again


to detail?


Thanks you again.

Giuseppe Larosa Wed, 02/25/2009 - 01:32

Hello Young,

I try to keep it simple:


with sampling only one packet every 1000 is processed by netflow engine.


So the traffic volumes seen be netflow are reduced by the same factor (1000 for

example)


So to compare with SNMP data you need at least to multiply volumes by same factor


if netflow has seen 12000 bytes and the samping factor is 1000 we can say that real traffic volume was

12000*1000 = 12000000 bytes


When you compare netflow data and SNMP data you may need to perform some math operations (conversions).


Hope to help

Giuseppe


Actions

This Discussion