[netflow-tools] softflowd and -m ?

[Damien Miller]

On Wed, 30 May 2007, Michael Gale wrote:

> Hello,
>
>  I am new to using netflows and am experimenting by using softflowd to
> send tcpdump created files to ntop.
>
> Everything seems to be working except that I noticed a strange change
> in stats when using the -m option in softflowd.
>
> With out specifying the -m, ntop reports 1.4GB of traffic with an
> average of 136Mbps. If I run softflowd with "-m 1000000" ntop now
> reports that 250MB of traffic was seen ?
>
> Does any one know why this would happen ?

Two possibilites:

1. By cranking the number of flows tracked so high, you might be using up
   your RAM and pushing softflowd into swap. If softflowd swaps, then it
   will drop traffic.

2. By cranking up the number of trackable flows, you are giving long-lived
   flows more of a chance to stay in the list of tracked flows rather than
   being evicted by newer flows. Because ntop only receives notification
   of traffic once flows are evicted (and thus exported), it reports a
   lower traffic rate. If this is the case, you might want to set a 
   "maxlife" timeout to force flows to be evicted every five minutes or so.

-d