Hi every one! I has observed what the informations about speed of the link of the Internet from softflowd and NFSEN are less than what i see in the Cacti. I see too what softflowd has use average 98% of process of CPU . The sofflowd is running in the same machine what nfsen. What the hardware profile for capture all flows in the link of the 100 Mbits/s?
On Thu, 9 Jul 2009, Raphael Ruiz wrote:> Hi every one! > > I has observed what the informations about speed of the link of the > Internet from softflowd and NFSEN are less than what i see in the > Cacti.Some difference is inevitable - softflowd will only look at IP traffic and disregard any link-layer traffic. Also, reconstructing point-in-time traffic utilisation from flow data is basically impossible - so whatever nfsen displays as a utilisation chart would involve some estimation and guesswork.> I see too what softflowd has use average 98% of process of CPU . The > sofflowd is running in the same machine what nfsen.Yes, softflowd is quite CPU intensive especially if your traffic mix consists to lots of tiny flows (e.g. web/DNS traffic).> What the hardware profile for capture all flows in the link of the 100 Mbits/s?"It depends" -d
Sean Cody
2009-Jul-13 16:04 UTC
[netflow-tools] Softflowd & flow-tools on multiple interfaces.
I''ve deployed both softflowd and flow-tools to devices that I can''t easily add a mirror port to. So I''ve got around 5 sensors per site (softflowd on 3 mirror interfaces and on 2 devices directly) and 1 collector and am saving them in completely different flow-tools log sets. A bit of reading lends me to the idea of using the interface field in the flow records to record which device the flow came from (and have online 1 set of flow logs). Is this possible or should I continue using the 1 softflowd per flow- capture setup? As well is there an easy way to tell if softflowd is missing flows (ala tcpdump discards)? -- Sean
Damien Miller
2009-Aug-15 16:59 UTC
[netflow-tools] Softflowd & flow-tools on multiple interfaces.
On Mon, 13 Jul 2009, Sean Cody wrote:> I''ve deployed both softflowd and flow-tools to devices that I can''t easily add > a mirror port to. > So I''ve got around 5 sensors per site (softflowd on 3 mirror interfaces and on > 2 devices directly) and 1 collector and am saving them in completely different > flow-tools log sets. A bit of reading lends me to the idea of using the > interface field in the flow records to record which device the flow came from > (and have online 1 set of flow logs). > > Is this possible or should I continue using the 1 softflowd per flow-capture > setup?Some platforms support listening to all IP traffic that passes through a host, but softflowd doesn''t support this yet.> As well is there an easy way to tell if softflowd is missing flows (ala > tcpdump discards)?You can compare the total of the netflow packet or byte counts with those of the interfaces over the same time period. -d