From: Neil McKee (neil_mckee@inmon.com)
Date: 11/21/02
What tool are you using to receive the sFlow packets and
report the results?
Multiplying by the configured sampling rate is only an
approximate way to scale up the results. The correct way to
do it is to multiply by the delta in the samplePool variable
divided by the number of samples. That way you will not be
affected by packet loss in transit or pseudo-random bias in
the random number generator.
For details, see the equations in "Packet Sampling Basics" on
the sflow.org website.
The poller is not very flexible. It prefers to poll at
intervals < 60 seconds.
The delta TOO BIG message is caused by a counter counting
backwards on your device - seems to happen a lot on Cisco boxes.
The wierd numbers for samplingRate = 0 or 1 might be caused by
packets being dropped somewhere in the system. This code is
not optimised for looking at every packet. It expects to be
sampling.
The text files are not really needed for what you are doing.
When you say "nProbe" do you mean "NTop Probe"?
Perhaps the most important aspect of our probe software is
that it records the input and output ports on the
switch/router for each sample. This means you can effectively
monitor all the ports on the switch. It's like having a
separate probe on each port.
regards,
neil
Wanja Jansson wrote:
> Hi again,
>
> Thank for the help the other time. Now I have a new problem:
>
> I am doing a comparison with the sFLowSP and a nProbe, by
sending
> a big file (a movie on about 800MB) from one computer to
mine. But
> I get some very strange results. I think it has to do with
the different
> parameters in the configuration files. I am reading in the
RFC 3176
> but can still don't figure out what the parameters do.
>
> CONFIGURATION FILE:
> My configuration file looks like this: Should I change
something?
> What does debug=0 means? And where should I find the .txt
files?
> Do I need them?
>
> ErrorLog = inxPKP.err
> TraceLog = inxPKP.log
> Command = inxPKP.cmd
> #include "./inxGlobal.ini"
>
> MIBInterval = 10
>
> ; ================= settings ================
>
> PKPDevice = eth0
> PKPDriverSampling = NO
> PKPDeviceEnabled = YES
> PKPsFlowEnabled = YES
> PKPAgent = 10.1.1.15
> PKPCommunity = public
> PKPSamplingRate = 1000
> PKPCollectorHost = 10.1.2.53
> PKPMirrorDirection = both
> PKPPollInterval = 45
> PKPPromiscuous = YES
> PKPMPRefreshTimeout = 3600
> PKPMPRequestTimeout = 2
> PKPMPSuppressRetryTimeout = 3600
> PKPMPTableSize = 49999
> PKPMPBridgeTable = bridgeTable.txt
> PKPMIBIIRouteTable = routingTable.txt
> PKPASInterfaceTable = ifTable.txt
> PKPASPortMapping = YES
> PKPASSymmetric = YES
> PKPVLANTable = vlanTable.txt
>
> ; now include a config file for optionally overriding these
settings
> ; and others below (from global.ini and inxGlobal.ini)
>
> #includeWithNoComments "/var/sFlowSP/config/pkp.ini"
>
> PidFile = ../pids/inxPKP.pid
> debug = 0
>
> Further below in the example logfile I havn't change anything.
>
> LOG FILE:
> What is a "good" Pollinterval? When I try e.g 60, the log
file says:
> 20021120132335: pollCounters: WARNING: poll interval is >
activeInterval
> What is activeinterval?
>
> Other lines in the log file use to look like this:
> 20021120003546: pollCounters: in_multicasts
delta32=4294967295 TOO BIG -
> not accumulating (old=91764, new=91763)
> 20021120003738: portLookup: concurrent SNMP requests at
maximum, not
> sending another
> 20021120084911: pollCounters: 10.1.1.15:4 out_bytes changed
from 0 to
> 3310411095 - not accumulating
>
> What does these different lines means? Is something wrong?
>
> SAMPLINGRATE:
> For example, the "PKPSamplingRate": when I set PKPSamplingRate = 0,
> the sampling should be disabled and with PKPSamplingRate =1
all packet
> should be sampled. Am I right? And in that case, what is
the output I get
> with PKPSamplingRate = 0 and 1?
>
> Below are the result of one of my test of sending a movie
on 814912924
> bytes.
> With samplingrate 0 and 1 the results are completely
incorrect, Why?
>
> With samplingrate 10, 100, 1000 and 10000 I get more or
less the correct
> number
> of bytes IF I multilpy the total sum of bytes with the
samplingrate.
> Is it really supposed to be like that?
>
> Is there anywhere some documents except from the RFC 3176
explaining these
> things?
>
> sFlow Sampling Rate = 0
> Pkts
Bytes
> 10
1814
> 103676
145210171
> 11
4244
> 13
1908
> 1
46
> 1
46
> 15
3563
> 41
4672
> Total: 103768
145226464
>
> sFlow Sampling Rate = 1
> Pkts
Bytes
> 10
460
> 14
3146
> 15
1419
> 19
3426
> 22
4002
> 5
475
> 99657
139634292
> Total: 99742
139647220
>
> sFlow Sampling Rate = 10
> Pkts
Bytes
> 15
720
> 19
5629
> 5
1783
> 58756
82773717
> 7
930
> 9
378
> Total: 58811
82783157
>
> sFlow Sampling Rate = 100
> Pkts
Bytes
> 1
46
> 1
46
> 1
46
> 149
216044
> 5677
8169439
> Total: 5829
8385621
>
> sFlow Sampling Rate = 1000
> Pkts
Bytes
> 11
16500
> 563
824637
> Total: 574
841137
>
> sFlow Sampling Rate = 10000
> Pkts
Bytes
> 1
1500
> 57
83828
> Total: 58
85328
>
>
> Thanks again,
>
> Wanja
>
> _____________________________________________
> Free email with personality! Over 200 domains!
> http://www.MyOwnEmail.com
>
>
>
-- Neil McKee, InMon Corp. tel: +1 (415) 661-6343 http://www.inmon.com
This archive was generated by hypermail 2.1.4 : 11/21/02 PST