Hi Paolo. The sFlow Agent is a Foundry FastIron Edge 4802
The only sFlow Config i can see is: sflow enable sflow sample 1024 sflow polling-interval 5 sflow destination <PMACCT-LISTEN-IP> 6000 Where do I get the sflowtool and how do i debug the sFlow Datagrams? Do you have any idea? Best Regards, Oliver Treck Paolo Lucente schrieb:
Hi Oliver, counters make sense: you were downloading something - looks like a TCP strem - and the set of TCP ACKs has been intercepted, for a total of soma 16MB. Doing a few maths confirms this in fact packets are very small: 16732160 / 273408 = ~61 bytes. Now, the configuration posted previously looks correct. Check on your sFlow agent what is being sampled - which interfaces and which direction - and make sure that everything you need to capture the whole stream is there. Often the traffic is sampled only uni-directionally. Once that's verified, if nothing comes up i would then suggest to debug the sFlow datagrams with sflowtool. That would rule out either the agent or the collector. Maybe it's also a good idea to specify vendor and model of the sFlow agent, maybe people reading might have useful tips. Cheers, Paolo On Thu, Sep 20, 2007 at 06:31:56PM +0200, Oliver Treck (Treck.de - the WEB energyzer) wrote:Hi Paolo. Thanks for your fast response. Yes, i'm using sFlow. It seems, that the additional configuration did not realy work. Counters for packets and bytes are increased now, but they are still absurd. I did a download of 600MB but the counters telling: +----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+| agent_id | class_id | mac_src | mac_dst | vlan | as_src | as_dst | ip_src | ip_dst | src_port | dst_port | tcp_flags | ip_proto | tos | packets | bytes | flows | stamp_inserted | stamp_updated |+----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+| 0 | | | | 0 | 0 | 0 | xx.xx.x.xxx | 0.0.0.0 | 0 | 0 | 0 | | 0 | 273408 | 16732160 | 0 | 2007-09-20 17:00:00 | 2007-09-20 17:54:23 |+----------+----------+---------+---------+------+--------+--------+-------------+---------+----------+----------+-----------+----------+-----+---------+----------+-------+---------------------+---------------------+ That's just 16MB :(Another Problem is, that the daemon seems to collect traffic just for outgoing packets.Since one week there was no entry like ip_src = 0.0.0.0 -> ip_dst = <OUR IP> just: ip_src = <OUR IP> -> ip_dst = 0.0.0.0 But before there already were some of incoming packets.Even as long as i know that the byte counters are wrong i cannot even say, if the outgoing and incoming traffic is summarized here in that single entry "ip_src = <OUR IP> to ip_dst 0.0.0.0" or if it's completely left out.Another problem is also, that some ip's seem not to be accounted continuous. For an ip with high traffic load the last entry was yesterday at 6pm.Do you have another idea for my problems? Best regards, Oliver Treck
begin:vcard fn:Oliver Treck n:Treck;Oliver org:Treck.de - the WEB energyzer adr:;;Rektor-Kruse-Weg 13;Iserlohn;NRW;58644;Deutschland email;internet:[EMAIL PROTECTED] title:Inhaber tel;work:+49-2371-779701 tel;fax:+49-2371-779702 tel;cell:+49-160-94168378 url:http://www.treck.de version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
