Mailing List Archive: nprobe in proxy mode, changing sampling rate for different collectors

Is it possible to use nprobe in proxy mode to collect netflow data at one sampling rate and send it to a collector at a different sampling rate? For example, Cisco router sending at a 1:2000 sampling rate to nprobe proxy and proxy sending that netflow data to collector at 1:3000 rate. And if so, can you specify multiple downstream collectors with different sampling rates? The rational is that we have various netflow collectors that want flow info in various sampling rates.

Thanks.

[cid:image001.png@01CF9098.0857BC30]

George Wise

Senior Network Engineer

o. 678.835.5064 | c. 678.206.7791

300 Satellite Blvd. NW | Suwanee, GA 30024

george.wise@qtsdatacenters.com<mailto:george.wise@qtsdatacenters.com>

qtsdatacenters.com<http://www.qualitytech.com/>

QUALITY TECHNOLOGY SERVICES CONFIDENTIALITY NOTICE:
This e-mail message including its attachments is classified COMPANY CONFIDENTIAL. It is intended for the person or entity to which it is addressed and may contain confidential material. Quality Technology Services controls the distribution of COMPANY CONFIDENTIAL assets, as such, any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact us at irt@qtsdatacenters.com or 866-239-5000 and destroy all copies of the original message. Thank you.

Hi George,

> On 26 Apr 2018, at 19:48, Wise, George <George.Wise@Qtsdatacenters.com> wrote:
>
> Is it possible to use nprobe in proxy mode to collect netflow data at one sampling rate and send it to a collector at a different sampling rate? For example, Cisco router sending at a 1:2000 sampling rate to nprobe proxy and proxy sending that netflow data to collector at 1:3000 rate.

See option

[--sample-rate|-S] <pkt rate>:<flow collection rate>:<flow export rate>

In your case you can do:

-S 1:2000:3000

So nprobe will scale up incoming flows by a factor 2000, that is, if an incoming flow has 100 IN_BYTES, it will be scaled up to 200 000 IN_BYTES.

Then, nprobe will send out 1 every 3 000 flows it has received from the collector.

NOTE that will this approach the final collector will end up having one flow out of (1/2000)x(1/3000) = 6 Million flows. So I am not sure this is really what you want.

If 1:3000 is the final sampling rate with reference to the original cisco, then you can get close to it using

-S 1:2000:1
or
-S 1:2000:2

The exact number would be 1.5 but only integer numbers are allowed

> And if so, can you specify multiple downstream collectors

yes

> with different sampling rates?

no

> The rational is that we have various netflow collectors that want flow info in various sampling rates.

Simone
>
> Thanks.
>
> <image001.png>
> George Wise
>
> Senior Network Engineer
>
> o. 678.835.5064 | c. 678.206.7791
> 300 Satellite Blvd. NW | Suwanee, GA 30024
>
> george.wise@qtsdatacenters.com <mailto:george.wise@qtsdatacenters.com>
> qtsdatacenters.com <http://www.qualitytech.com/>
>
>
> QUALITY TECHNOLOGY SERVICES CONFIDENTIALITY NOTICE:
> This e-mail message including its attachments is classified COMPANY CONFIDENTIAL. It is intended for the person or entity to which it is addressed and may contain confidential material. Quality Technology Services controls the distribution of COMPANY CONFIDENTIAL assets, as such, any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact us at irt@qtsdatacenters.com <mailto:irt@qtsdatacenters.com> or 866-239-5000 and destroy all copies of the original message. Thank you.
>
>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>

Mailing List Archive

Mailing List Archive

Attached Files: