8 Replies Latest reply on May 23, 2008 9:19 AM by Andy McBride

    Missing Chart Data in NetFlow v3.0

      I would assume that much of the missing data has to do with the V3 performance problem not processing all the data in the queues, but maybe not so I am asking...  I was tracking down some performance issues today with Orion and while the router serial interface was at ~100% since noond today, none of the flows causing the problem were showing up in NetFlow...  Will they ever?


      From what I can see there is a great deal of traffic not being processed due to what I assume is the performance problem with the SQL database and it getting behind.  With a fairly small SQL server and a single NetFlow enabled router with a fairly low number of flows we are seeing I/O queues >4000 on the SQL server storage drive.


      I am not sure what percentage of the flows we are losing but it seems pretty large...  I have screen shots and charts to indicate better what I am seeing but here might not be the right place...


       


       


       


        • Re: Missing Chart Data in NetFlow v3.0
          aLTeReGo

          I have screen shots and charts to indicate better what I am seeing but here might not be the right place...

          Here is definitely the right place. Show us what you're seeing.

            • Re: Missing Chart Data in NetFlow v3.0

              From the router IP flow cache you can see the partners in the traffic.  These are not the ones listed in the NetFlow conversations for this 10.20.0.30 IP address.  Also, the charts for the NetFlow traffic do not jive with the charts for the interface traffic, even though we know where it is coming from the NetFlow traffic is peaky and only shows ~5MB per 15 minutes as a max, but the Orion interface charts (and the router itself) show a pegged interface at 256Kbps (~22MB/15minutes)...  Seems to me we are missing a large amount of data in the flow traffic…  We are missing both data and hosts, so to me that constitutes flows we are dropping.

               SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
              Se0/2/0       69.26.185.67    Vl1           10.20.0.30      06 0050 1210    54
              Se0/2/0       69.26.185.123   Vl1           10.20.0.30      06 0050 1229   629
              Se0/2/0       69.26.185.123   Vl1           10.20.0.30      06 0050 1228   649
              Se0/2/0       69.26.185.123   Vl1           10.20.0.30      06 0050 122B    14
              Se0/2/0       69.26.185.123   Vl1           10.20.0.30      06 0050 122C    65

              If the ratio of flows to packets corresponds to about 11-14 flows per packet as it seems, and we are not processing the ~325K packets left in the Raw Packet Queue when we restart the service every night at 4am, that amounts to 3.5-4.5 million flow stat updates we are missing every day.