Hi Evgeny,
Hmm .. difficult to tell. sfcpad simply reports, what it get's from the
exporter.
The amount of data in bytes is extrapolated according to the sampling rate.
In the event of a DDoS attack, there are many potential bottlenecks. So it's
not easy to pinpoint the reason.
- Peter
On 22.10.15 12:52, Evgeny Vainerman wrote:
> Hi All
>
> I'm using Cisco NX-OS(tm) n3000 Switch, Software (n3000-uk9), Version
> 6.0(2)U2(3).
>
> My sflow setting is as following:
>
> sflow sampling-rate 5000
> sflow max-datagram-size 2000
> sflow collector-ip X.X.X.X vrf management
> sflow collector-port NNNN
> sflow agent-ip Y.Y.Y.Y
>
> Recently I've got a DDoS attack.
> PRTG has shown incoming traffic of ~27 Gbit/sec during ~10 minutes.
>
> sFlow reported more than 10K flows in one minute, each one's duration is 0.0
> However, the total reported traffic is ~3.6 Gbit/sec:
>
> Summary: total flows: 11292, total bytes: 27533130000, total packets:
> 56460000, avg bps: 3672369329, avg pps: 941329, avg bpp: 487
> Time window: 2015-10-21 11:25:00 - 2015-10-21 11:25:59
>
> What can be the reason of the such gap?
>
> -
> Thanks,
> Evgeny
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Nfdump-discuss mailing list
> Nfdump-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
