Hi Peter,
My suspect that issue is related to number of flows is wrong. I generate udp traffic of ~2.7 Gbit/sec with iperf - same source, same destination: iperf -c B.B.B.B -i 1 -b 4000M -t 400 -l 40000 The sfcapd collect the data. All recorded flows looks similar (5000 packets / 7.6M bytes each, Duration is 0.0): Date first seen Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2015-11-22 14:22:01.336 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 2015-11-22 14:22:01.493 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 2015-11-22 14:22:01.641 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 2015-11-22 14:22:01.704 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 2015-11-22 14:22:02.659 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 2015-11-22 14:22:03.065 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 ... ... ... 2015-11-22 14:22:58.705 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 2015-11-22 14:22:59.557 0.000 UDP A.A.A.A:44573 -> B.B.B.B:5001 5000 7.6 M 1 However, very low traffic is reported: Summary: total flows: 115, total bytes: 872850000, total packets: 575000, avg bps: 119936105, avg pps: 9876, avg bpp: 1518 Time window: 2015-11-22 14:22:01 - 2015-11-22 14:22:59 Total flows processed: 115, Blocks skipped: 0, Bytes read: 7020 Sys: 0.004s flows/second: 23138.8 Wall: 0.003s flows/second: 33833.5 For testing purposes, I directed sFlow reports from the switch to PRTG and to sFlowTrend - both showing the correct bandwidth with same reporter. Looks like sfcapd or nfdump lose the data. Is it possible it ignores "too short" flows, even if reported? - Thanks, Evgeny -----Original Message----- From: Peter Haag [mailto:ph...@users.sourceforge.net] Sent: Sunday, November 22, 2015 1:30 PM To: Evgeny Vainerman <evge...@securitydam.com>; nfdump-discuss@lists.sourceforge.net Cc: Meir Katz <me...@securitydam.com> Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than sFlow On 21.11.15 15:40, Evgeny Vainerman wrote: > Hi Peter, > > I suspect that problem appears when too many flows are reported. And the > issue is rather outcom of hudge number of flows than high bandwith. DDoS > attack is usually built of hudge number of very short flows (different source > IPs and ports). > I'm trying to create some artificial traffic to simulate this situation. > May you can advise any simulation tool? Hmm .. not, that I am aware of. There are some studies regarding the accuracy of a total estimation from sampled flow data. Small flows are indeed a bigger problem and lead to bigger deviations of numbers. Cheers - Peter > > > = = = > Thanks, > Evgeny > > > -------- Original message -------- > From: Peter Haag <ph...@users.sourceforge.net> > Date: 21/11/2015 13:24 (GMT+02:00) > To: Evgeny Vainerman <evge...@securitydam.com>, > nfdump-discuss@lists.sourceforge.net > Subject: Re: [Nfdump-discuss] PRTG reports x8 higher traffic than > sFlow > > Hi Evgeny, > Hmm .. difficult to tell. sfcpad simply reports, what it get's from the > exporter. > The amount of data in bytes is extrapolated according to the sampling rate. > In the event of a DDoS attack, there are many potential bottlenecks. > So it's not easy to pinpoint the reason. > > - Peter > > > On 22.10.15 12:52, Evgeny Vainerman wrote: >> Hi All >> >> I'm using Cisco NX-OS(tm) n3000 Switch, Software (n3000-uk9), Version >> 6.0(2)U2(3). >> >> My sflow setting is as following: >> >> sflow sampling-rate 5000 >> sflow max-datagram-size 2000 >> sflow collector-ip X.X.X.X vrf management sflow collector-port NNNN >> sflow agent-ip Y.Y.Y.Y >> >> Recently I've got a DDoS attack. >> PRTG has shown incoming traffic of ~27 Gbit/sec during ~10 minutes. >> >> sFlow reported more than 10K flows in one minute, each one's duration >> is 0.0 However, the total reported traffic is ~3.6 Gbit/sec: >> >> Summary: total flows: 11292, total bytes: 27533130000, total packets: >> 56460000, avg bps: 3672369329, avg pps: 941329, avg bpp: 487 Time >> window: 2015-10-21 11:25:00 - 2015-10-21 11:25:59 >> >> What can be the reason of the such gap? >> >> - >> Thanks, >> Evgeny >> >> >> >> >> --------------------------------------------------------------------- >> --------- >> >> >> >> _______________________________________________ >> Nfdump-discuss mailing list >> Nfdump-discuss@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/nfdump-discuss >> > > -- > Be nice to your netflow data. Use NfSen and nfdump :) > > > > ---------------------------------------------------------------------- > -------- > > > > _______________________________________________ > Nfdump-discuss mailing list > Nfdump-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/nfdump-discuss > -- Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
_______________________________________________ Nfdump-discuss mailing list Nfdump-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nfdump-discuss