Hello, I have been able to collect netflow data from our palo alto device for forensic analysis purposes and started to study sflow data from the juniper switches. I understand that sflow is based on statistical sampling, which clearly cannot catch every packet, but one can lower the 1:x ratio low enough for that to work. Having done, that I had the following aggregate statement (sfacctd):
aggregate[track_raw]: label, src_host, dst_host, src_port, dst_port, proto, tcpflags, in_iface, out_iface, cos, etype, src_mac, dst_mac, vlan, timestamp_start which, because of the timestamp_start field, cannot aggregate data together for packets that belong to the same session (flow). I was comparing an http download on the netflow side and saw that I had a couple of entries with hundreds of packets and a packet size matching the download. On the sflow collecting side, I had hundreds of individual entries each with a packet count of 1 - now I am realizing that sfacct cannot aggregate anything in terms of sflow data because of the timestamp_start. But I need the timestamp_start in the output (json file) - how can one go about that? I feel that sflow is really nothing equivalent to netflow - basically netflow has done a ton of work putting together netflow records of complete transactions, while sflow just produces packet meta data that another collector has to put together and make up the transactions - and if the ending tcp flags are not there, then you are stuck. Thank you for your help. Steffen _______________________________________________________________________________________________ Steffen Plotner Amherst College Tel (413) 542-2348 Systems/Network Administrator/Programmer PO BOX 5000 Fax (413) 542-2626 Systems & Networking Amherst, MA 01002-5000 [email protected]
_______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
