Hello,
We are using the version of nprobe to work with Kentik (nprobes) and we are seeing packets being reported incorrectly when using sampling.
$sudo nprobe -v
Welcome to nProbe v.7.5.170306 (r5675) for x86_64-unknown-linux-gnu
Copyright 2002-17 ntop.org
Build OS: CentOS release 6.8 (Final)
Example script being used:
-q=A.A.A.A:6650
-n=X.X.X.X:9995
-n=Y.Y.Y.Y:2056
-V=5
-a=
-i=myri1-1
-S=160:1
-t=60
--if-networks=@/etc/cento/networks
-b=1
-Q=1
-u=1
--dump-stats=/var/log/nprobe/myri1-1-0_flows_stats.txt
With the above, when I perform a controlled bandwidth test using a traffic generator, the packets per second being reported to Kentik is roughly 350K. The traffic generator is sending 2140pps of udp packets with 1460 byte payloads at a payload rate of 25 Mbps, so 25.9 Mbps with IP header.
We also sent the same data to another collector at the same time, and we saw exact same issue in the nfacctd data.
We saw that when we changed the sample rate, the pps was multiplied by that value, so in this case 160x (2140x160=342,400).
[cid:image002.jpg@01D29670.6A8C9F70]
[cid:image003.jpg@01D29670.6A8C9F70]
This is also evident in the attached png image of wireshark output from a captured packet.
[cid:image001.png@01D2966F.6430ED30]
Can you please advise if this is a bug, and if so, the best course of action (use a previous version?), or if I am doing something wrong.
I also attached the images in case they are stripped out.
Kind regards,
Jesse
We are using the version of nprobe to work with Kentik (nprobes) and we are seeing packets being reported incorrectly when using sampling.
$sudo nprobe -v
Welcome to nProbe v.7.5.170306 (r5675) for x86_64-unknown-linux-gnu
Copyright 2002-17 ntop.org
Build OS: CentOS release 6.8 (Final)
Example script being used:
-q=A.A.A.A:6650
-n=X.X.X.X:9995
-n=Y.Y.Y.Y:2056
-V=5
-a=
-i=myri1-1
-S=160:1
-t=60
--if-networks=@/etc/cento/networks
-b=1
-Q=1
-u=1
--dump-stats=/var/log/nprobe/myri1-1-0_flows_stats.txt
With the above, when I perform a controlled bandwidth test using a traffic generator, the packets per second being reported to Kentik is roughly 350K. The traffic generator is sending 2140pps of udp packets with 1460 byte payloads at a payload rate of 25 Mbps, so 25.9 Mbps with IP header.
We also sent the same data to another collector at the same time, and we saw exact same issue in the nfacctd data.
We saw that when we changed the sample rate, the pps was multiplied by that value, so in this case 160x (2140x160=342,400).
[cid:image002.jpg@01D29670.6A8C9F70]
[cid:image003.jpg@01D29670.6A8C9F70]
This is also evident in the attached png image of wireshark output from a captured packet.
[cid:image001.png@01D2966F.6430ED30]
Can you please advise if this is a bug, and if so, the best course of action (use a previous version?), or if I am doing something wrong.
I also attached the images in case they are stripped out.
Kind regards,
Jesse