flow counters seem too low

[raimopinding]

Hi!

I have fastnetmon (paid version) and i want to use flow based thresholds for ddos alerting, but when i look at in_flows/out_flows counters then they dont seem accurate (bytes and packets counters on the other hand do seem accurate). For example this is output of "show single_host_counters ..." command for a DNS server (a lot of DNS requests over UDP)

icmp_in_bytes 72 icmp_in_packets 0 icmp_out_bytes 3470 icmp_out_packets 29 in_bytes 236412 in_flows 6 in_packets 874 out_bytes 120032 out_flows 9 out_packets 1249 tcp_in_bytes 0 tcp_in_packets 0 tcp_out_bytes 2 tcp_out_packets 0 tcp_syn_in_bytes 0 tcp_syn_in_packets 0 tcp_syn_out_bytes 0 tcp_syn_out_packets 0 udp_in_bytes 236334 udp_in_packets 873 udp_out_bytes 116555 udp_out_packets 1216

There should be more than 1000 flows per second for that host, but flow counters are consistently around 10 or so... Is there something that i could check in my config or any ideas what could cause that?

PS! Also, as i understand flow counters should work only for ipv4 and ipv6 is not supported yet?

EDIT: btw i am running fastnetmon in mirror mode.

[pavel-odintsov]

Hello!

"PS! Also, as i understand flow counters should work only for ipv4 and ipv6 is not supported yet?"

Right, it's on our roadmap to add IPv6 support: https://features.fastnetmon.com/feature-requests/p/add-support-for-flow-tracking-in-ipv6-mode

"EDIT: btw i am running fastnetmon in mirror mode."

Our default configuration for port mirror uses sampling and flow / s calculation is not available in this case when sampling is enabled: https://fastnetmon.com/docs-fnm-advanced/fastnetmon-connection-tracking/

Thank you!

[raimopinding]

Thanks for your reply! Just to clarify, as i understand disabling "mirror_af_packet_sampling" is highly not recommended as described here

https://fastnetmon.com/docs-fnm-advanced/fastnetmon-port-mirror-configuration/

so basically in mirror mode (using default sampling rate of 100) the flow/s counter still works, but is much smaller than actual number (depending on sampling rate). But if disabling sampling is not advised, what about making it smaller to get more accurate number, like 10 or so? Will it break something?

And also, what is the recommended way to get accurate flow/s counters, in other words what method does not use sampling?

[pavel-odintsov]

Hello!

The only option to get correct flow counters is to disable sampling completely or to use 1:1 Netflow or IPFIX from your router.

In case of port mirror dramatically increase CPU load and FastNetMon and mag rich it's scalability limitation with are around 10G or less

Sincerely yours, Pavel Odintsov

On Thu, 25 Apr 2024 at 16:39, RaimoP @.***> wrote:

Thanks for your reply! Just to clarify, as i understand disabling "mirror_af_packet_sampling" is highly not recommended as described here

https://fastnetmon.com/docs-fnm-advanced/fastnetmon-port-mirror-configuration/

so basically in mirror mode (using default sampling rate of 100) the flow/s counter still works, but is much smaller than actual number (depending on sampling rate). But if disabling sampling is not advised, what about making it smaller to get more accurate number, like 10 or so? Will it break something?

And also, what is the recommended way to get accurate flow/s counters, in other words what method does not use sampling?

— Reply to this email directly, view it on GitHub https://github.com/pavel-odintsov/fastnetmon/issues/1007#issuecomment-2077599652, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAU56ZUIAJ3Z6UP6YWPL7XTY7EPUHAVCNFSM6AAAAABGY6BHV6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANZXGU4TSNRVGI . You are receiving this because you commented.Message ID: @.***>