For When You Can't Have The Real Thing
[ start | index | login ]
start > dave > experiments > Net Flows > 2009-02-24 > 1

2009-02-24 #1

Created by dave. Last edited by dave, 15 years and 36 days ago. Viewed 3,308 times. #3
[diff] [history] [edit] [rdf]
labels
attachments

Catch Up

So everything was ticking along pretty nicely, then we had to go and change something.

The something that we changed was the switch that is the last manageable switch before we hand off to our upstream. It was a 3Com 4900; it is now a Dell PowerConnect 3448. After this change, the flows appeared to only capture half the conversation (this is documented on the page about Port Monitoring). After some fiddling around, we now have the switch set up so that if you do a tcpdump of the port attached to the mirror port, we do in fact see both directions of the conversation; however the flows captured only show one side, usually the inbound side.

Ironic that a 3Com can do something "correctly" that a Dell can't. Or perhaps, the 3Com is just broken in a way that turns out to be useful.

After much messing about with various netflow collectors, it occurred to me that the problem was the flow generator, not the flow collector. And so far we only have the one flow generator, >>fprobe. This tool appears to have ceased development at this time.

So today we're trying something else: instead of having fprobe listen to the raw interface, we're going to get it to listen only to the VLAN that the internet traffic is running on, on the theory that the VLAN'd packets that the Dell is generating is confusing fprobe somehow.

So our new fprobe invocation is:

# fprobe -f"ip" -i eth2.1942 -e 120 -q 10240 localhost:999
New:
  • -e 120 means expire active flows at 120 seconds; research indicates that at 100Mb speeds the 32-bit counters can roll in less than five minutes; reducing the sample period to 120 seconds will increase the number of data points, reducing the likelyhood of a 32-bit rollover.
  • -q 10240 means have up to 10K flows pending (default was 100). Memory is cheap.
Useful for examining captured flows:
# flow-export -f2 $FLOW | grep $TARGET

And guess what? fprobe is now generating proper flow! Hooray!

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt