Hi Peter,


My suspect that issue is related to number of flows is wrong.

I generate udp traffic of ~2.7 Gbit/sec with iperf - same source, same 
destination:



iperf -c B.B.B.B -i 1 -b 4000M -t 400 -l 40000



The sfcapd collect the data. All recorded flows looks similar (5000 packets / 
7.6M bytes each, Duration is 0.0):



Date first seen          Duration Proto    Src IP Addr:Port  Dst IP Addr:Port  
Packets  Bytes Flows

2015-11-22 14:22:01.336     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

2015-11-22 14:22:01.493     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

2015-11-22 14:22:01.641     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

2015-11-22 14:22:01.704     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

2015-11-22 14:22:02.659     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

2015-11-22 14:22:03.065     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

...

...

...

2015-11-22 14:22:58.705     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1

2015-11-22 14:22:59.557     0.000 UDP      A.A.A.A:44573 ->   B.B.B.B:5001      
5000    7.6 M     1





However, very low traffic is reported:



Summary: total flows: 115, total bytes: 872850000, total packets: 575000, avg 
bps: 119936105, avg pps: 9876, avg bpp: 1518

Time window: 2015-11-22 14:22:01 - 2015-11-22 14:22:59

Total flows processed: 115, Blocks skipped: 0, Bytes read: 7020

Sys: 0.004s flows/second: 23138.8    Wall: 0.003s flows/second: 33833.5



For testing purposes, I directed sFlow reports from the switch to PRTG and to 
sFlowTrend - both showing the correct bandwidth with same reporter.

Looks like sfcapd or nfdump lose the data. Is it possible it ignores "too 
short" flows, even if reported?







-

Thanks,

Evgeny



-----Original Message-----

From: Peter Haag [mailto:ph...@users.sourceforge.net]

Sent: Sunday, November 22, 2015 1:30 PM

To: Evgeny Vainerman <evge...@securitydam.com>; 
nfdump-discuss@lists.sourceforge.net

Cc: Meir Katz <me...@securitydam.com>

Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow



On 21.11.15 15:40, Evgeny Vainerman wrote:

> Hi Peter,

>

> I suspect that problem appears when too many flows are reported. And the 
> issue is rather outcom of hudge number of flows than high bandwith. DDoS 
> attack is usually built of hudge number of very short flows (different source 
> IPs and ports).

> I'm trying to create some artificial traffic to simulate this situation.

> May you can advise any simulation tool?



Hmm .. not, that I am aware of. There are some studies regarding the accuracy 
of a total estimation from sampled flow data. Small flows are indeed a bigger 
problem and lead to bigger deviations of numbers.





Cheers



- Peter

>

>

> = = =

> Thanks,

> Evgeny

>

>

> -------- Original message --------

> From: Peter Haag <ph...@users.sourceforge.net>

> Date: 21/11/2015 13:24 (GMT+02:00)

> To: Evgeny Vainerman <evge...@securitydam.com>,

> nfdump-discuss@lists.sourceforge.net

> Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than

> sFlow

>

> Hi Evgeny,

> Hmm .. difficult to tell. sfcpad simply reports, what it get's from the 
> exporter.

> The amount of data in bytes is extrapolated according to the sampling rate.

> In the event of a DDoS attack, there are many potential bottlenecks.

> So it's not easy to pinpoint the reason.

>

>         - Peter

>

>

> On 22.10.15 12:52, Evgeny Vainerman wrote:

>> Hi All

>>

>> I'm using Cisco NX-OS(tm) n3000 Switch, Software (n3000-uk9), Version 
>> 6.0(2)U2(3).

>>

>> My sflow setting is as following:

>>

>> sflow sampling-rate 5000

>> sflow  max-datagram-size 2000

>> sflow collector-ip X.X.X.X vrf management sflow collector-port NNNN

>> sflow agent-ip Y.Y.Y.Y

>>

>> Recently I've got a DDoS attack.

>> PRTG has shown incoming traffic of ~27 Gbit/sec during ~10 minutes.

>>

>> sFlow reported more than 10K flows in one minute, each one's duration

>> is 0.0 However, the total reported traffic is ~3.6 Gbit/sec:

>>

>> Summary: total flows: 11292, total bytes: 27533130000, total packets:

>> 56460000, avg bps: 3672369329, avg pps: 941329, avg bpp: 487 Time

>> window: 2015-10-21 11:25:00 - 2015-10-21 11:25:59

>>

>> What can be the reason of the such gap?

>>

>> -

>> Thanks,

>> Evgeny

>>

>>

>>

>>

>> ---------------------------------------------------------------------

>> ---------

>>

>>

>>

>> _______________________________________________

>> Nfdump-discuss mailing list

>> Nfdump-discuss@lists.sourceforge.net

>> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

>>

>

> --

> Be nice to your netflow data. Use NfSen and nfdump :)

>

>

>

> ----------------------------------------------------------------------

> --------

>

>

>

> _______________________________________________

> Nfdump-discuss mailing list

> Nfdump-discuss@lists.sourceforge.net

> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

>



--

Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss

Reply via email to