Closed makischu closed 2 years ago
Dona21
commented
2 years ago Hi @makischu
You could try to select "1 hour" and switch from "Graph" to "Flows" and look at the details if you encounter something in the capture that would make sense in this context. This is what I would do. Maybe (random guess) it could be that you have something either uploading or downloading periodically which could explain the traffic and packets graphs. rsync itself maybe ?
makischu
commented
2 years ago @Dona21 thank you for the hints! I just start loving this tool! It enabled me to see what I configured months ago and forgot...
I added screenshots (the ones prefixed with "220118_") to the repo above, of "1 hour" for Graph-Flows (flat) and Graph-Traffic (sawtooth) and Flows (table, filtered).
In fact this is real traffic, no artifact! There was a camera configured to split the recording every 30 minutes, and an rsync job (awesome guess!) running every 5 minutes to sync the files to another system. So there is 1 file to transfer, every 5 minutes, and the file gets bigger and bigger until the next file takes over, every 30 minutes.
I am glad I managed the initial configuration of nfsen-ng and I enjoy seeing my first data on the frontend. I use ipt-netflow as exporter and nfdump as collector on a different machine; syncing the nfcapd-files with rsync.
At first sight the data looks realistic, but there is one effect I did not expect and cannot explain. Plotting graphs with data type "Traffic" looks very different from data types "Flows" and "Packets". There is a sawtooth with a tooth of 30 min length.
One option is that the graph shows the truth and there is a strange behavior on my network. Another option is that I misconfigured something which leads to wrong graph data. Do you have any hints where to look at? Has anyone seen such an effect before? Thanks!
Uploaded my screenshots here. The one of interest is 220117_nfsen-ng_traffic.png, others are for reference. https://github.com/makischu/nfsen-ng-experience