Mailing List Archive

> On 30 Jul 2020, at 18:48, Drew Weaver <drew.weaver@thenap.com> wrote:
>
> I'm just curious mostly but has anyone found a platform that has high enough sflow/netflow "resolution" that it picks up things like single pings, or broadcast traffic, or other very low volume traffic?

I think what you’re looking for is gear which supports 1:1 flow telemetry at the interface speeds/densities you require.

--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com>



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

So just for a refresher if you are sampling lets say at 1:500 and lets say 1 byte goes through an interface that is not intended to produce an export?

The exporting only happens if the amount of data is over a certain threshold? Does that threshold vary?

-----Original Message-----
From: cisco-nsp <cisco-nsp-bounces@puck.nether.net> On Behalf Of Dobbins, Roland
Sent: Thursday, July 30, 2020 8:18 AM
To: cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?



> On 30 Jul 2020, at 18:48, Drew Weaver <drew.weaver@thenap.com> wrote:
>
> I'm just curious mostly but has anyone found a platform that has high enough sflow/netflow "resolution" that it picks up things like single pings, or broadcast traffic, or other very low volume traffic?

I think what you’re looking for is gear which supports 1:1 flow telemetry at the interface speeds/densities you require.

--------------------------------------------
Roland Dobbins <roland.dobbins@netscout.com>



_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Thu, 30 Jul 2020 at 15:26, Drew Weaver <drew.weaver@thenap.com> wrote:

> So just for a refresher if you are sampling lets say at 1:500 and lets say 1 byte goes through an interface that is not intended to produce an export?
> The exporting only happens if the amount of data is over a certain threshold? Does that threshold vary?

You'd pick up every nTh packet for sampling.

sample(packet) if packet_count % 500 == 0

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

So if a flow is less than the sampling rate it does not export anything, I believe is what you are saying.

Thanks,
-Drew


-----Original Message-----
From: Saku Ytti <saku@ytti.fi>
Sent: Thursday, July 30, 2020 8:36 AM
To: Drew Weaver <drew.weaver@thenap.com>
Cc: Dobbins, Roland <Roland.Dobbins@netscout.com>; cisco-nsp@puck.nether.net
Subject: Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?

On Thu, 30 Jul 2020 at 15:26, Drew Weaver <drew.weaver@thenap.com> wrote:

> So just for a refresher if you are sampling lets say at 1:500 and lets say 1 byte goes through an interface that is not intended to produce an export?
> The exporting only happens if the amount of data is over a certain threshold? Does that threshold vary?

You'd pick up every nTh packet for sampling.

sample(packet) if packet_count % 500 == 0

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi,

On Thu, Jul 30, 2020 at 12:23:28PM +0000, Drew Weaver wrote:
> So just for a refresher if you are sampling lets say at 1:500 and lets say 1 byte goes through an interface that is not intended to produce an export?

It's statistics: 1:500 says "only look at one packet in 500" - so it
will just not *see* this "1 byte" (with a very high propability).

> The exporting only happens if the amount of data is over a certain threshold? Does that threshold vary?

Not "data over threshold" but "did you see the packet or not"

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

I see that helps, thanks.

-----Original Message-----
From: Gert Doering <gert@greenie.muc.de>
Sent: Thursday, July 30, 2020 8:38 AM
To: Drew Weaver <drew.weaver@thenap.com>
Cc: 'Dobbins, Roland' <Roland.Dobbins@netscout.com>; 'cisco-nsp@puck.nether.net' <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Netflow/Sflow for "irrelevant" traffic?

Hi,

On Thu, Jul 30, 2020 at 12:23:28PM +0000, Drew Weaver wrote:
> So just for a refresher if you are sampling lets say at 1:500 and lets say 1 byte goes through an interface that is not intended to produce an export?

It's statistics: 1:500 says "only look at one packet in 500" - so it will just not *see* this "1 byte" (with a very high propability).

> The exporting only happens if the amount of data is over a certain threshold? Does that threshold vary?

Not "data over threshold" but "did you see the packet or not"

gert
--
"If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Thu, 30 Jul 2020 at 15:37, Drew Weaver <drew.weaver@thenap.com> wrote:

> So if a flow is less than the sampling rate it does not export anything, I believe is what you are saying.

If none of the 500th packets belong to flow of your interest, you
won't see anything of the flow.

--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Hi,

On Thu, Jul 30, 2020 at 12:37:52PM +0000, Drew Weaver wrote:
> So if a flow is less than the sampling rate it does not export anything,
> I believe is what you are saying.

No. If you happen to just not see a packet of that flow, it will not
export anything.

You can have a flow of 100.000 packets that all just happen to always
be "one of the 499 out of 500 packets" that are not being looked at.

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de

If I'm not mistaken, sflow/netflow does not pick up null0 routed
flows. Plz correct me if I am wrong.

Thanks,
Hank

Caveat: The views expressed above are solely my own and do not express
the views or opinions of my employer

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Thu, 30 Jul 2020 at 19:12, <hank@interall.co.il> wrote:

Hey,

> If I'm not mistaken, sflow/netflow does not pick up null0 routed
> flows. Plz correct me if I am wrong.

I don't think there is a single answer to this question. It depends on
a platform, where netflow/sflow is done and in what order are
functions executed. There will be a lot of complex corner cases
particularly with QoS, PBR and so forth.


--
++ytti
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Exactly. For example, we do all our netflow 1:1 off a fiber tap on external appliances,
so we see all the traffic on the wire even those packets that are not forwarded or dropped locally.
That sometimes is a bit confusing as well :)

--
Chris


On 30.07.20 18:18, Saku Ytti wrote:
> On Thu, 30 Jul 2020 at 19:12, <hank@interall.co.il> wrote:
>
> Hey,
>
>> If I'm not mistaken, sflow/netflow does not pick up null0 routed
>> flows. Plz correct me if I am wrong.
> I don't think there is a single answer to this question. It depends on
> a platform, where netflow/sflow is done and in what order are
> functions executed. There will be a lot of complex corner cases
> particularly with QoS, PBR and so forth.
>
>

_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Thu, Jul 30, 2020, at 18:18, Saku Ytti wrote:
>
> I don't think there is a single answer to this question. It depends on
> a platform, where netflow/sflow is done and in what order are
> functions executed. There will be a lot of complex corner cases
> particularly with QoS, PBR and so forth.

For sFlow, most (??? all ???) platforms sample *inbound* traffic only. That means null-routed traffic will be sampled even before the decision of null-routing occurs.

NetFlow, that's another story.

--
R.-A. Feurdean
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Radu-Adrian FEURDEAN wrote on 31/07/2020 19:28:
> For sFlow, most (??? all ???) platforms sample*inbound* traffic only.

Pretty much all chipsets that support sflow allow both ingress and
egress sampling, even though some of the operating systems don't
necessarily have the command constructs to configure this.

No idea about Cisco's other operating systems, but NX-OS only supports
joint ingress + egress sampling and there's no way to turn off egress
sampling. Hard to tell what the rationale for this is. At least on the
earlier sflow-enabled broadcom platforms, the switch hardware API
supports it and you can toggle it in bcmsh, so their decision not to
enable this as a config setting seems to be a bit dysfunctional.

Nick
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On Sat, Aug 1, 2020, at 11:34, Nick Hilliard wrote:
> Radu-Adrian FEURDEAN wrote on 31/07/2020 19:28:
> > For sFlow, most (??? all ???) platforms sample*inbound* traffic only.
>
> Pretty much all chipsets that support sflow allow both ingress and
> egress sampling, even though some of the operating systems don't
> necessarily have the command constructs to configure this.

That is mostly due to how the specification in interpreted. The sampling algorithm starts with "When a packet arrives on an interface" which may make some believe that only inbound traffic is to be sampled. I even heard people (working for a specific vendor) saying "this (inbound only sampling) is what the standard specifies", which is not really accurate.

> No idea about Cisco's other operating systems,

Some of the newer versions of Catalyst seem to be among the rare exceptions that do support sflow outside the Nexus line, and they have the commands to enable inbound or oubound sampling.

--
R.-A. Feurdean
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

On 1/Aug/20 12:05, Radu-Adrian FEURDEAN wrote:

> That is mostly due to how the specification in interpreted. The sampling algorithm starts with "When a packet arrives on an interface" which may make some believe that only inbound traffic is to be sampled. I even heard people (working for a specific vendor) saying "this (inbound only sampling) is what the standard specifies", which is not really accurate.

Are most networks still only sampling on ingress?

We sample in both directions as standard, and the resulting data tracks
well.

Mark.
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/