NetFlow analyzer lost some flows???
Hi.
We are use netflow two collector (flow-capture from flow-tools package and NF analyzer) to store all flows from our border router. NFA was installed yesterday. Today we compare all statistics between two collectors and it DIFFERENT! After deep analyze we encounter what some flows are present in the flow-capture database and not present (or at the least don't show in graphs) in NFA! If you want we can email to you all needed information (screenshots, flows). For example:
212.73.245.94 80.237.-.- http 80 TCP 282.73 MB 23%
217.174.97.55 80.237.-.- http 80 TCP 200.83 MB 16%
213.200.99.29 80.237.-.- http 80 TCP 83.61 MB 7%
82.195.130.111 80.237.-.- http 80 TCP 66.79 MB 5%
217.23.153.111 80.237.-.- http 80 TCP 62.33 MB 5%
62.118.251.39 80.237.-.- http 80 TCP 51.9 MB 4%
213.248.112.72 80.237.-.- http 80 TCP 39.84 MB 3%
64.70.23.174 80.237.-.- TCP_App * TCP 33.3 MB 3%
207.44.184.47 80.237.-.- http 80 TCP 22.96 MB 2%
194.67.27.206 80.237.-.- http 80 TCP 22.95 MB 2%
This taken from NFA TOP Destination OUT Report 80.237.-.-
And this from flow-capture and flow-report (in octets)
212.73.245.94 80.237.68.11 80 282734539
217.174.97.55 80.237.68.11 80 201275465
213.200.99.29 80.237.68.11 80 83618352
217.23.153.111 80.237.68.11 80 71936296
82.195.130.111 80.237.68.11 80 67116107
194.67.57.50 80.237.68.11 80 60447941
62.118.251.39 80.237.68.11 80 53692635
217.16.31.55 80.237.68.11 80 50251743
213.180.216.200 80.237.68.11 80 47186462
213.248.112.72 80.237.68.11 80 43870064
64.70.23.174 80.237.68.11 4049 33301946
195.68.173.144 80.237.68.11 443 28752987
207.44.184.47 80.237.68.11 80 25949271
194.67.27.206 80.237.68.11 80 24101024
As you can see in the second example we have more addresses than in NFA.
(In TOP Destionation Report we see large amount traffic in line "Others 3388.63 MB 60%"). May be our lost traffic here?
We are use netflow two collector (flow-capture from flow-tools package and NF analyzer) to store all flows from our border router. NFA was installed yesterday. Today we compare all statistics between two collectors and it DIFFERENT! After deep analyze we encounter what some flows are present in the flow-capture database and not present (or at the least don't show in graphs) in NFA! If you want we can email to you all needed information (screenshots, flows). For example:
212.73.245.94 80.237.-.- http 80 TCP 282.73 MB 23%
217.174.97.55 80.237.-.- http 80 TCP 200.83 MB 16%
213.200.99.29 80.237.-.- http 80 TCP 83.61 MB 7%
82.195.130.111 80.237.-.- http 80 TCP 66.79 MB 5%
217.23.153.111 80.237.-.- http 80 TCP 62.33 MB 5%
62.118.251.39 80.237.-.- http 80 TCP 51.9 MB 4%
213.248.112.72 80.237.-.- http 80 TCP 39.84 MB 3%
64.70.23.174 80.237.-.- TCP_App * TCP 33.3 MB 3%
207.44.184.47 80.237.-.- http 80 TCP 22.96 MB 2%
194.67.27.206 80.237.-.- http 80 TCP 22.95 MB 2%
This taken from NFA TOP Destination OUT Report 80.237.-.-
And this from flow-capture and flow-report (in octets)
212.73.245.94 80.237.68.11 80 282734539
217.174.97.55 80.237.68.11 80 201275465
213.200.99.29 80.237.68.11 80 83618352
217.23.153.111 80.237.68.11 80 71936296
82.195.130.111 80.237.68.11 80 67116107
194.67.57.50 80.237.68.11 80 60447941
62.118.251.39 80.237.68.11 80 53692635
217.16.31.55 80.237.68.11 80 50251743
213.180.216.200 80.237.68.11 80 47186462
213.248.112.72 80.237.68.11 80 43870064
64.70.23.174 80.237.68.11 4049 33301946
195.68.173.144 80.237.68.11 443 28752987
207.44.184.47 80.237.68.11 80 25949271
194.67.27.206 80.237.68.11 80 24101024
As you can see in the second example we have more addresses than in NFA.
(In TOP Destionation Report we see large amount traffic in line "Others 3388.63 MB 60%"). May be our lost traffic here?