Hi Steve, Your config looks good. I suggest to check the NetFlow v9 export at your router. One popular issue is that the options packet to specify the sampling rate are not exported. Besides, especially on slightly older software releases (i here refer particularly to IOS and JunOS, feel to exclude IOS-XR, don't know others), this was an area fertile of bugs.
I will be happy to assist, in case you want an additional pair of eyes. We can switch to 1:1 emails and you can send me a brief capture of your NetFlow traffic. Cheers, Paolo On Wed, Feb 04, 2015 at 05:26:09PM +0000, Steve Gerteisen wrote: > I've got two devices exporting NetFlow v9 records to my nfacctd collector. > For some reason the sampling rate (1:1000) isn't getting expanded, resulting > in low pps/bps calcs. To compensate in the meantime, I've hardcoded my > sample rate into my pps/bps calculations in the Perl script scraping the data > from the IMT. Would be curious for some feedback from the list on why this > might be happening. Version info, config file and sample data below. Any > assistance would be greatly appreciated, thanks! > > #!--- version info ---!# > > [user@host ~]# nfacctd -V > NetFlow Accounting Daemon, nfacctd 1.5.1-cvs (20141119-00) > --enable-jansson > > For suggestions, critics, bugs, contact me: Paolo Lucente <[email protected]>. > [user@host ~]# > > #!--- nfacctd config file ---!# > > daemonize: true > nfacctd_port: 5678 > plugins: memory[full] > aggregate[full]: tag, tag2, in_iface, out_iface, peer_src_as, peer_dst_as, > src_host, dst_host, proto, src_port, dst_port, tcpflags, ext_comm, > src_ext_comm, tos, timestamp_start, timestamp_end > refresh_maps: true > nfacctd_renormalize: true > nfacctd_time_new: true > > imt_path[full]: /opt/flows_to_es/cache/full.pipe > > pre_tag_map: /opt/pmacct/etc/pretag.map > > plugin_pipe_size: 131072000 > plugin_buffer_size: 6400 > imt_buckets: 65537 > imt_mem_pools_size: 1024000 > imt_mem_pools_number: 160 > > #!--- sample data ---!# > Duration: $VAR1 = 81; > Bytes: $VAR1 = 105; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 1500; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 1500; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 52; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 1500; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 96; > Packets: $VAR1 = 2; > Bytes: $VAR1 = 1400; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 55; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 329; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 440; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 52; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 52; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 1500; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 1500; > Packets: $VAR1 = 1; > Bytes: $VAR1 = 152; > Packets: $VAR1 = 1; > > -- > Steve M. Gerteisen > [email protected] > > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
