Incorrect traffic values

[dan2716430]

Using sflow data from 3 switches, the traffic is incorrect: it reports ~2Tbit/s while the real traffic is ~3Gbps down / ~2Gbps up.

Let me know what additional data you need.

[simonemainardi]

please, enclose nprobe and ntopng configurations. Also, does the collector perform sampling of the traffic?

[dan2716430]

nProbe v.7.4.160719 (r5331) nProbe is the collector, started like this: nprobe --collector-port 6343 --zmq tcp://127.0.0.1:5556 >> /dev/null &

ntopng 2.4.160719 - Pro Small Business Edition, started like this: ntopng -i tcp://127.0.0.1:5556 -d /var/tmp -w 3000 -v -m 10.0.10.0/16 >> /dev/null &

[dan2716430]

No errors on nprobe:

nprobe --collector-port 6343 --zmq tcp://127.0.0.1:5556 08/Aug/2016 18:27:02 [nprobe.c:3399] Valid nProbe license found 08/Aug/2016 18:27:02 [nprobe.c:4864] WARNING: The output interfaceId is set to 0: did you forget to use -Q perhaps ? 08/Aug/2016 18:27:02 [nprobe.c:4867] WARNING: The input interfaceId is set to 0: did you forget to use -u perhaps ? 08/Aug/2016 18:27:02 [nprobe.c:4908] -i is ignored as --collector-port|-3 has been used: using '-i none' 08/Aug/2016 18:27:02 [nprobe.c:4967] Welcome to nProbe v.7.4.160719 ($Revision: 5331 $) for x86_64-unknown-linux-gnu with native PF_RING acceleration 08/Aug/2016 18:27:02 [nprobe.c:4977] Running on Debian GNU/Linux 7.10 (wheezy) 08/Aug/2016 18:27:02 [nprobe.c:4988] [LICENSE] nProbe SystemId: 08/Aug/2016 18:27:02 [nprobe.c:5077] WARNING: -n parameter is missing. 127.0.0.1:2055 will be used. 08/Aug/2016 18:27:02 [nprobe.c:7300] Welcome to nProbe v.7.4.160719 for x86_64-unknown-linux-gnu 08/Aug/2016 18:27:02 [plugin.c:1030] 0 plugin(s) enabled 08/Aug/2016 18:27:02 [nprobe.c:6828] Non IPv4/v6 traffic is discarded according to the template 08/Aug/2016 18:27:02 [util.c:434] GeoIP: loaded AS config file /usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat 08/Aug/2016 18:27:02 [util.c:445] GeoIP: loaded AS IPv6 config file /usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat 08/Aug/2016 18:27:02 [nprobe.c:5487] Using packet capture length 128 08/Aug/2016 18:27:02 [nprobe.c:7476] IPv6 traffic will NOT be exported/accounted by this probe 08/Aug/2016 18:27:02 [nprobe.c:7477] due to configuration options (e.g. use NetFlow v9) 08/Aug/2016 18:27:04 [nprobe.c:7623] Not capturing packet from interface (collector mode) 08/Aug/2016 18:27:04 [util.c:4036] Initializing ZMQ as server 08/Aug/2016 18:27:04 [util.c:4079] Succesfully created ZMQ endpoint tcp://127.0.0.1:5556 08/Aug/2016 18:27:04 [collect.c:147] Flow collector listening on port 6343 (IPv4/v6) 08/Aug/2016 18:27:04 [nprobe.c:7848] nProbe started successfully

[dan2716430]

Isn't nProbe the collector?

If you ask if the switches are doing sampling, they shouldn't. I used sflowtrend before and it reported correct data.

[lucaderi]

@dan2716430 With sFlow sampling rate is dynamic and it's part of the sFlow packet. If the traffic rate is not correct there are some discrepancies between the flows being collected by nProbe. In order to fix this issue I need a pcap containing sflow flows so I can check what is going on.

[dan2716430]

How can I send you the pcap file privately?

[lucaderi]

Email deri@ntop.org

[dan2716430]

Email sent

[lucaderi]

Fixed in nProbe. Apparently the sFlow switch does not always report correct values for the samplePool: added an extra check and now it works.