Re: Configuration Parameters

From: Neil McKee (
Date: 11/27/02

  • Next message: Peter Phaal: "SQL (Slammer) Worm Detection using sFlow"

    The accuracy of an estimate improves with the number of samples taken. That
    is why the results are more accurate for an 800MB flow than they are for a
    20MB flow.

    If you set the samplingRate to 1-in-100 instead of 1-in-1000 then the
    accuracy for the 20MB flow should improve.

    If you are using the latest version of sflowtool (version 2.3), it should
    automatically scale the netflow output for you (unless you tell it not to
    with the -s option).

    You are correct that the packet-sampling approach means you are not looking
    in detail at each transmission. A sampling-rate of 1-in-1000 means that you
    are counting every packet but only decoding 1 out of every 1000. This may
    sound lazy :-) but it has some very desirable properties when embedded in
    switch ASICs. The samples from many switches can all be forwarded without
    delay to one analyser, which can then present both real-time and historical
    traffic views for the entire network - even if there are many thousands of
    links. The sampling protects the measurement system from ever being
    overloaded, so over time the results become more and more accurate.


    Wanja Jansson wrote:

    > Hi again,
    >>What tool are you using to receive the sFlow packets and
    >>report the results?
    > First I use the sflowtool to convert the sflow into netflow and then i use
    > CAIDA's cflowd to view the data through the arts++ dataviewers. The same I
    > do with the netflow data I get from the NTOP nProbe, but here I already
    > have the netflow format and can send it directly into the cflowd. In that
    > way I get the same presentation of the data from both the probes and can
    > compare the data
    >>Multiplying by the configured sampling rate is only an
    >>approximate way to scale up the results. The correct way to
    >>do it is to multiply by the delta in the samplePool variable
    >>divided by the number of samples. That way you will not be
    >>affected by packet loss in transit or pseudo-random bias in
    >>the random number generator.
    >>For details, see the equations in "Packet Sampling Basics" on
    >>the website.
    > Ok, But then how come I get "good results" calculating the total number of
    > packets when copying a big file on about 800 MB and when I do the same test
    > with a file on 20MB, I do not get any correct number of bytes at all. Or is
    > the probes just ment to give an overiwev of the traffic in the network and
    > do not look so much in detail on each transmission?
    >>When you say "nProbe" do you mean "NTop Probe"?
    > Yes , the NTOP nProbe.
    > Regards
    > Wanja Jansson
    > _____________________________________________
    > Free email with personality! Over 200 domains!
    > Looking for friendships,romance and more?

    Neil McKee, InMon Corp.
    tel: +1 (415) 661-6343

    This archive was generated by hypermail 2.1.4 : 11/27/02 PST