periodic patterns in juniper netflow exports
hi there, I'm analyzing NetFlow traces from Abilene (which uses Juniper, of course) and I'm seeing a periodic pattern in the traces. I know about the activity and inactivity timeouts that can be set in JunOS to control flow exports, but in the data I'm analyzing it seems like there is some kind of global clock that flushes the flow cache every minute. I mean the router exports *all* flows which are active at the end of a time bin of one minute. Because of this, the flow records look like they are binned in 1 minute intervals. By the way, I'm not talking about any manipulation done by the collector. I'm really looking at the FIRST and LAST time stamps contained in each flow record. Can anyone tell me if there is such a timer in JunOS, i.e., flushing the flow cache every minute (or an interval defined as a parameter)? Thanks in advance and happy Hew Year! Fernando Silveira
On Jan 3, 2008, at 5:57 PM, Fernando Silveira wrote:
Can anyone tell me if there is such a timer in JunOS, i.e., flushing the flow cache every minute (or an interval defined as a parameter)?
I don't know about Juniper routers, but there's such a setting in Cisco routers, it's called the active flow timer. If you don't use it and don't tell your collection/analysis system what setting you've used (most folks use between 5 minutes for traffic analysis down to one minute for security-related analysis), you end up with backlogged stats which aren't chronologically representative of the actual traffic, and your graphs are all jagged and useless. My guess would be that Juniper have a similar construct for a similar purpose. Most collection/analysis systems of which I'm aware take this setting into account, as long as you tell them what interval you're using. It's generally considered highly desirable to make use of this functionality, for the aforementioned reasons. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company
hi Roland, actually I believe the patterns I'm talking about are not caused by the activity timer. As fair as I know, the activity timer exports a flow which has been active for too long. Therefore, it should be counted from the beginning of the flow (its first packet), right? The patterns I'm talking about would imply an absolute clock (independent of any flow) ticking every minute, and flushing the entire flow cache. The result of this would be the binning effect I mentioned. The patterns I'm talking about seem really specific to Juniper routers. I have another set of traces (which I believe come from Cisco routers) and they don't have the periodic flow export pattern I'm referring here. I have two or three plots that show in detailed what I'm trying to explain, but I'm not sure I can post them here. If you'd like to see them I can send them to you (or anybody interested) or I could post it on the web and send you the URL. Thanks for the quick reply! Fernando On Jan 3, 2008 11:42 AM, Roland Dobbins <rdobbins@cisco.com> wrote:
On Jan 3, 2008, at 5:57 PM, Fernando Silveira wrote:
Can anyone tell me if there is such a timer in JunOS, i.e., flushing the flow cache every minute (or an interval defined as a parameter)?
I don't know about Juniper routers, but there's such a setting in Cisco routers, it's called the active flow timer. If you don't use it and don't tell your collection/analysis system what setting you've used (most folks use between 5 minutes for traffic analysis down to one minute for security-related analysis), you end up with backlogged stats which aren't chronologically representative of the actual traffic, and your graphs are all jagged and useless.
My guess would be that Juniper have a similar construct for a similar purpose. Most collection/analysis systems of which I'm aware take this setting into account, as long as you tell them what interval you're using. It's generally considered highly desirable to make use of this functionality, for the aforementioned reasons.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice
Culture eats strategy for breakfast.
-- Ford Motor Company
On Jan 3, 2008, at 7:53 PM, Fernando Silveira wrote:
The patterns I'm talking about would imply an absolute clock (independent of any flow) ticking every minute, and flushing the entire flow cache. The result of this would be the binning effect I mentioned.
Yes, what you're describing is in fact different from the Cisco active flow timer. The Cisco active flow timer is set relative to the beginning of the flow, as you indicate, and not a system-wide purge of the entire cache (I didn't parse that properly in your initial query, apologies) on some sort of fixed-time basis. There are folks involved in various NetFlow collection/analysis efforts on this list, I'm sure one of them or someone from Juniper will respond. juniper-nsp might also be a good place to ask. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company
participants (2)
-
Fernando Silveira
-
Roland Dobbins