Ethereal-dev: Re: [Ethereal-dev] Cisco NetFlow (and Juniper Cflowd) dissector

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Hannes Gredler <hannes@xxxxxxxxxxx>
Date: Thu, 5 Sep 2002 22:54:06 +0200
On Thu, Sep 05, 2002 at 03:43:45PM -0400, Matthew Smart wrote:
| If you could provide me with documentation on how Juniper treats
| the last, reserved field in the header, I would be grateful.
| 
| Cisco treats this as undocumented and unsupported.
| Also, the field only represents the sampling rate if the top
| two bits are == 10b.  I have code to do the right thing in
| this case.
| 
| I have removed Cisco-specific language from the dissector.

matt,

in our implementation of cflowd we do not generate sample records on a per flow
basis buth rather on a discrete sample interval - i.e. for 1 out of each N packets
a netflow record is generated; typical values are N=1000...10000 depending
onm network load; 
in order to correlate the data at the cflowd we need to convey the sample
factor get get an estimation baout the original traffic volume.
we use the reserved field for that purpose;

on the router typically it is configured like

forwarding-options {
    sampling {
        input {
            family inet {
                rate 1000;
                run-length 0;
                max-packets-per-second 1000;
            }
        }
        output {
            cflowd 192.168.1.1 {
                port 5000;
                version 5;
                autonomous-system-type peer;
            }
        }
    }
}


/hannes