1 Reply Latest reply on Jan 7, 2014 8:34 AM by luttrell

    Understanding Flow Collection???

    Wally Steadman

      Good day all,

      So I am fairly new to using Solarwinds since I started with a new company.  I have a Brocade Switch and on it I have configured SFlow.  When I run a show sflow command I get the following output (addresses changed to protect the innocent )

       

      SSH@MyDevice#show sflow

      sFlow version: 5

      sFlow services are enabled.

      sFlow agent IP address: xxx.xxx.xxx.xxx

      2 collector destinations configured:

      Collector IP xxx.xxx.xxx.xxx, UDP 6343

      Collector IP xxx.xxx.xxx.xxx, UDP 2055

      Polling interval is 20 seconds.

      Configured default sampling rate: 1 per 2048 packets.

      Actual default sampling rate: 1 per 2048 packets.

      The maximum sFlow sample size: 128.

      sFlow exporting cpu-traffic is disabled.

      12202490 UDP packets exported

      15433597 sFlow samples collected.

      sFlow ports: ethe 14 ethe 23 to 24

      Port Sampling Rates

      -------------------

      Port=14, configured rate=2048, actual rate=2048

      Port=23, configured rate=2048, actual rate=2048

      Port=24, configured rate=2048, actual rate=2048

       

      I have also added a screen capture of what I am seeing in NetFlow for this device and I am just trying to understand where the collection is happening from.  So from the above output, I only have sflow forwarding on 3 ports and that is true.  But when I look in NetfFlow I am seeing information from many more ports and not sure I understand why and would like any assistance in better understanding this. 

       

      Thanks for any assistance

      Wally

        • Re: Understanding Flow Collection???
          luttrell

          Hi Wally,

           

          If you take a wireshark capture on the Orion server and filter for sflow traffic from this device this may help understand it a bit better.

          Take a look at the InputInt and OutputInt values - these are the ingress/egress interface indexes.

          NTA wireshark.png

          Both interfaces will be shown under netflow sources, regardless of whether they are configured to forward flows or not. Most likely, conversations are coming into/going out of your configured interfaces and out of/into the other ones.

           

          This should be normal behavior.

          1 of 1 people found this helpful