Impossible numbers

[snapon_admin]

We're seeing some impossible bandwidth utilization on our queries. In this example, we're looking at a circuit that has 200Mbps bandwidth and the numbers are adding up to impossible totals. 78MB is 624Mb, way more than we have. And even if there's an error and what is displayed as MB is actually Mb the first 5 add up to 248Mbps, which is still impossible. Any thoughts on what we're seeing here and why the numbers don't add up?

impossible.png

[cmerchant]

The collection start and stop times along with the duration for the interfaces are not consistent, so there will be overlap, thus the total would not be reliable.

[snapon_admin]

Ok, that makes sense to me, but we see it even if the flows are at the same time.

impossible 2.png

These 4 add up to 212Mbps (assuming that Bytes/Sec is actually Bits/Sec, which is another issue that should probably be addressed), which is still more than we have available. Also, is there any way to run a query like this and see the top conversations for a set time frame? If this query only shows the flows during this time frame it's not really a proper total and isn't really what we're looking for. We want to see the total utilization from x time to y time, not just specific flow data that happens to fall within that time frame.

[tmcdonald]

What sort of devices are sending this flow data? The 0 packets per flow is also a bit odd. It's possible the device is reporting the netflow data incorrectly.

[snapon_admin]

Sorry to necro an old thread, but we finalyl got around to looking more into this. When we put these sources in a different netflow collector we got the same numbers so, hurray (I guess?)! It looks like network analyzer is at least receiving the proper data from the devices. Now why don't they add up? One thing we thought might be is that the collector is looking at all ingress and egress traffic and including that in the flow. Makes sense, if we add everything up it should come out to close to double what our available bandwidth is. That being the (possible) case, does anyone know if there's a way that I can do a query, aggregate by the srcip and dstip, and only show say ingress or egress traffic?

[ssax]

So if I wanted to see inbound for interface 1, I could create a view:
Name: SOURCE_Int_1_Inbound
Limiter: dst ip 10.10.10.1

If I wanted to see outbound for Interface 1:
Name: SOURCE_Int_1_Outbound
Limiter: src ip 10.10.10.1

If I wanted to see inbound and outbound for Interface 1:
Name: SOURCE_Int_1_All
Limiter: ip 10.10.10.1

Then go to your source and click on queries, select your view, and aggregate by:
- If you selected Inbound, use dstip
- If you selected Outbound, use srcip
- If you selected All, use srcip or dstip

Then if you are looking at summary or reports you can use limit the info by selecting your view from the Display View dropdown at the top.

[snapon_admin]

Every time I try to run that I get the following error:

Code: Select all

Error!
There was an error running nfdump command: /usr/local/bin/nfdump -M '/usr/local/nagiosna/var/LisleIL-L2L/views/LisleIL_L2LOutbound/' -R . -t '2015/06/30.11:00:59-2015/06/30.11:20:59' -N -a -A 'srcip,dstip' -o 'fmt:{"protocol": "%pr", "start": "%ts", "end": "%te", "duration": "%td", "srcip": "%sa", "dstip": "%da", "srcport": "%sp", "dstport": "%dp", "srcas": "%sas", "dstas": "%das", "packets": %pkt, "bytes": %byt, "flows": %fl, "packets": %pkt, "tos": %tos, "bps": %bps, "pps": %pps, "Bpp": %bpp}' 2> /dev/nul

[ssax]

So you created the views, then when you went to query or reports you changed the view at the top to one of the new views you created, then you aggregated by srcip or dstip? Which view did you select and what did you type in for the aggregate by?

[snapon_admin]

I selected the outbound view and aggregated by dstip. I also tried srcip and srcip,dstip just to see and got the error each time.

EDIT: hmm, just tried it now and I only get the error when using both (srcip,dstip). When I do either dstip or srcip I just get no results.

[ssax]

Here's an example of mine so you can see how it's set up:

nna_xi_outbound_1.png

nna_xi_outbound_2.png

nna_xi_outbound_3.png