6 Replies Latest reply on Mar 27, 2008 6:23 AM by Paul.Aitken

    "Spiky" Graphs in NetFlow

      Hi, I'm using netflow to monitor my traffic on serveral WAN lines. I know for sure that the wan link is under continuous use since 200+ citrix users are logged in via one of these links. But NetFlow doesnt show this use. One minute it shows like 15 MB TCP packets, the next minute it is 0 MB TCP packets, then its 2 - 3 minutes 7 MB TCP, then it goes to 15 MB TCP again for one minute, and then back to 0 MB TCP...


      Does Netflow have issues calculating the right averages?

        • Re: "Spiky" Graphs in NetFlow
          achrich

          hi,

           

          Ive noticed a simlair thing with HTTP, i`ve also noticed traffic completely vanishing when their is a lot of it, not sure if thats netflow related or not. Seems to be few bugs with the current version, does anyone know if there will be any more hotfixes or are we waiting for v3 ?

           

          Cheers

            • Re: "Spiky" Graphs in NetFlow
              davidmaltby

              Currently we're in the last iteration of the 3.0 development cycle and have fixed this issue for that release.  If resolution to this issue is critical at this point in time, please contact our suport and we'll see what we can do.


              This issue could be described as a rounding issue.  The data is getting associated with the nearest minute causing spikes at certain minutes and valleys at others.


               Thanks,

            • Re: "Spiky" Graphs in NetFlow

              If you are interested in joining the NetFlow beta to check out the new features and issue resolutions, you can sign up for the beta at http://www.surveymonkey.com/s.aspx?sm=HmC06amVVUntOrIZmKg0fw_3d_3d.

              • Re: "Spiky" Graphs in NetFlow

                If you're using Cisco routers, this could also be caused by the router's netflow cache becoming full. At that point the router will enter "emergency expiry" where a number of flows will be immediately aged, expired from the netflow cache and exported to the collecting device in order to free up space for some more flows. So you'd see a sudden burst of flows. The free cache entries will absorb new flows for a short time, so potentially less traffic would be exported immediately after.

                 

                You can check how full the router's netflow cache is using the "sh ip cache flow" command. The output will contain a line like this:


                IP Flow Switching Cache, 4456704 bytes
                  0 active, 65536 inactive, 0 added

                 

                In this case the cache is empty. However, if the "active" count is very high compared with the "inactive" count, then the cache is quite full.

                The cache timeouts can be controlled with  the "ip flow-cache timeout ..." commands, while the cache size can be controlled with the "ip flow-cache entries ..." command.