[netflow-tools] softflowd -m 512000 ... flow-capture ... 90 % less traffic??

Andrew McGill list2009 at lunch.za.net
Tue Aug 4 01:48:06 EST 2009 

Greetings netflow-tools,

I have softflowd sending information to flow-capture for a network with a few 
hundred hosts (don't ask, the answer is probably "yes").  Softflowd was 
configured with the default without a -m parameter, so that softflowd tracked 
a maximum of 8192 flows.  The primary reason for rolling over flows was 
running out of connections - and cpu load was obnoxiously high.  So I fixed it 
(in the sense of thereifixedit.com, perhaps).  I told softflowd that it should 
track a maximum of 512000 flows, and it duly did.  

The before and after log files for 10 minutes of traffic look like this:

-rw-r--r--  1 root root 12678211 Jul 26 17:02 ft-v05.2009-07-26.165257+0200                                               
-rw-r--r--  1 root root   673952 Jul 26 17:32 ft-v05.2009-07-26.172247+0200                                               

... which is great, BUT it seems that most of the traffic is getting lost.  
It's not that this traffic is getting deferred into later stats -- it simply 
never gets reported -- the reported totals dropped to 10% of their previous 
values!

before:  Average Kbits / second (real)   : 49598.9333
after:   Average Kbits / second (real)   : 3872.6817

The next day it was still roughly 10% of the real amount:

    Average Kbits / second (real)   : 4617.1089

Is this correct behaviour?  Am I doing one or more things wrong?

&:-)



Notes:

Startup parameters:
	flow-capture -p /var/run/flow-capture.pid -n 144 -N -1 \
		-w /var/log/netflows -S 10 0/0/8828  

	softflowd -i eth2 -n 127.0.0.1:8828              # BEFORE
	softflowd -i eth2 -n 127.0.0.1:8828  -m 512000   # AFTER


In case it's relevant, this is what flow-stat said about the files:


#  --- ---- ---- Report Information --- --- --- (BEFORE)
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   None
# Name:      Overall Summary
#
# Args:      flow-stat 
#
Total Flows                     : 723704
Total Octets                    : 2975935893
Total Packets                   : 6138299
Total Time (1/1000 secs) (flows): 5790296389
Duration of data  (realtime)    : 480
Duration of data (1/1000 secs)  : 2363291
Average flow time (1/1000 secs) : 8000.9183
Average packet size (octets)    : 484.8144
Average flow size (octets)      : 4112.0900
Average packets per flow        : 8.4818
Average flows / second (flow)   : 306.2649
Average flows / second (real)   : 1507.7167
Average Kbits / second (flow)   : 10075.1113
Average Kbits / second (real)   : 49598.9333


IP packet size distribution:
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .379 .286 .090 .082 .044 .024 .021 .013 .007 .005 .003 .003 .001 .002 

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .003 .005 .001 .014 .018 .000 .000 .000 .000 .000 .000 

Packets per flow distribution:
      1    2    4    8   12   16   20   24   28   32   36   40   44   48   52
   .643 .086 .075 .097 .030 .018 .011 .007 .005 .004 .003 .002 .002 .002 .001 

     60  100  200  300  400  500  600  700  800  900 >900
   .002 .005 .003 .001 .001 .000 .000 .000 .000 .000 .001 

Octets per flow distribution:
     32   64  128  256  512 1280 2048 2816 3584 4352 5120 5888 6656 7424 8192
   .000 .241 .298 .191 .104 .082 .022 .011 .007 .004 .004 .002 .002 .002 .002 

   8960 9728 10496 11264 12032 12800 13568 14336 15104 15872 >15872
   .001 .001  .001  .001  .001  .001  .001  .001  .001  .001  .019  

Flow time distribution:
    10    50  100  200  500 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
   .733 .014 .013 .024 .035 .032 .025 .017 .010 .008 .016 .007 .005 .005  .004  

  12000 14000 16000 18000 20000 22000 24000 26000 28000 30000 >30000
   .006  .004  .003  .003  .002  .004  .002  .001  .001  .001  .023  

#  --- ---- ---- Report Information --- --- --- (AFTER)
#
# Fields:    Total
# Symbols:   Disabled
# Sorting:   None
# Name:      Overall Summary
#
# Args:      flow-stat 
#
Total Flows                     : 50516
Total Octets                    : 261406012
Total Packets                   : 551158
Total Time (1/1000 secs) (flows): 329152148
Duration of data  (realtime)    : 540
Duration of data (1/1000 secs)  : 1366814
Average flow time (1/1000 secs) : 6515.8001
Average packet size (octets)    : 474.2851
Average flow size (octets)      : 5174.7172
Average packets per flow        : 10.9106
Average flows / second (flow)   : 36.9810
Average flows / second (real)   : 93.5481
Average Kbits / second (flow)   : 1530.9283
Average Kbits / second (real)   : 3872.6817


IP packet size distribution:
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .205 .364 .125 .116 .053 .028 .020 .019 .009 .005 .004 .003 .002 .002 

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .003 .008 .001 .015 .019 .000 .000 .000 .000 .000 .000 

Packets per flow distribution:
      1    2    4    8   12   16   20   24   28   32   36   40   44   48   52
   .439 .174 .073 .119 .067 .034 .018 .015 .010 .008 .006 .004 .003 .004 .002 

     60  100  200  300  400  500  600  700  800  900 >900
   .004 .010 .005 .001 .001 .000 .000 .000 .000 .000 .001 

Octets per flow distribution:
     32   64  128  256  512 1280 2048 2816 3584 4352 5120 5888 6656 7424 8192
   .000 .059 .297 .200 .153 .154 .042 .022 .011 .006 .004 .003 .002 .004 .003 

   8960 9728 10496 11264 12032 12800 13568 14336 15104 15872 >15872
   .002 .002  .002  .001  .001  .001  .001  .001  .001  .000  .027  

Flow time distribution:
    10    50  100  200  500 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000
   .298 .024 .012 .073 .319 .071 .035 .024 .012 .010 .020 .009 .007 .006  .005  

  12000 14000 16000 18000 20000 22000 24000 26000 28000 30000 >30000
   .009  .005  .003  .004  .004  .003  .003  .003  .003  .004  .035

More information about the netflow-tools mailing list