Hello,
I have a couple questions about the data shown in NNA/xi.
First, in NNA (or xi for that matter) when i see a graph showing Bytes/flows/Packets, for what time period is that data? For example if the peak of a graph in NNA shows 3.7GB, over what amount of time did the source move that amount of traffic? In NNA, if i randomly pick a graph peak, and look at its Bytes and then switch the graph to Bytes/sec, and then divide Bytes/Bytes per sec, i get about 35 seconds. If i do this with a random sample of sources i get approximately the same number of seconds. I am assuming this relates to the 30 second interval i set in netflow for all my sources. But i want to be sure.
Second, when i look at the same source/peak in NNA versus xi, i sometimes see different amounts of Bytes shown. I have attached a jpeg which demonstrates what i mean. For the same time the highest peak in the NNA is 4.4 GB, when in xi it shows the highest peak as 9GB.
thanks, i appreciate your help.
Data shown on NNA Vs. xi
-
yeahMon
- Posts: 27
- Joined: Thu Oct 29, 2015 1:26 pm
Data shown on NNA Vs. xi
You do not have the required permissions to view the files attached to this post.
-
tgriep
- Madmin
- Posts: 9190
- Joined: Thu Oct 30, 2014 9:02 am
Re: Data shown on NNA Vs. xi
The NNA server captures the flow data from your device and every 5 minutes, is saves the data to the drive, and creates a point on the graph.
So, every 5 minutes, it repeats that process.
On the xi server, the check command polls the server every 5 minutes, gets that data and plots it on the performance graph.
The data is stored in round robin databases which will over time, average out the data and flatten the peaks which is one cause if the difference between the graphs.
The other is that that both server are not running the check at the same time and due to when the data was sampled, you will see the data being different between the systems.
So, every 5 minutes, it repeats that process.
On the xi server, the check command polls the server every 5 minutes, gets that data and plots it on the performance graph.
The data is stored in round robin databases which will over time, average out the data and flatten the peaks which is one cause if the difference between the graphs.
The other is that that both server are not running the check at the same time and due to when the data was sampled, you will see the data being different between the systems.
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
yeahMon
- Posts: 27
- Joined: Thu Oct 29, 2015 1:26 pm
Re: Data shown on NNA Vs. xi
OK. So a point on the graph is the total Bytes from my source, added up over a 5 minute period.
Then the Bytes/s is the rate averaged over a 5 minute period? Or is it the peak during that 5 minute period? If it's averaged, then you would think if you multiplied it by 300s it would be close to the Bytes reported on the same point in the graph. But the total Bytes is usually much lower.
Thanks.
Then the Bytes/s is the rate averaged over a 5 minute period? Or is it the peak during that 5 minute period? If it's averaged, then you would think if you multiplied it by 300s it would be close to the Bytes reported on the same point in the graph. But the total Bytes is usually much lower.
Thanks.
-
tgriep
- Madmin
- Posts: 9190
- Joined: Thu Oct 30, 2014 9:02 am
Re: Data shown on NNA Vs. xi
The manual for the nfdump command that is used to get those values says that it is Averaged Bytes per sec during the period of time.
The period of time is determined from the Netflow data itself and not from the NNA server saving the files every 5 minutes.
The period of time is determined from the Netflow data itself and not from the NNA server saving the files every 5 minutes.
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
yeahMon
- Posts: 27
- Joined: Thu Oct 29, 2015 1:26 pm
Re: Data shown on NNA Vs. xi
OK, now that i think about it that's why at any point on a graph, the Bytes divided by B/s equals approximately the sflow interval.
Thanks. you can close.
Thanks. you can close.