[FlowScan] Problem with graphing double counted data

Dave Plonka plonka at doit.wisc.edu
Tue Apr 15 22:42:39 CDT 2008 

Hi James,

On Wed, Apr 16, 2008 at 01:23:12PM +1000, James Greenhalgh wrote:
> 
> No responses yet, so either nobody has had this problem or it's a
> really dumb question :)

It probably arrived on too busy a day for me :-)

You're asking about something that's CUFlow-specific... CUFlow is just
one, albeit a popular one, of the reports for FlowScan.

Unfortunatly, CUFlow isn't really my bag, man.  I've not used it.
THere is a mailing list dedicated to just the CUFlow report:

   https://lists.columbia.edu/mailman/listinfo/cuflow-users

I see it's active, and Matt just posted this re: the archives, etc:

   https://lists.columbia.edu/pipermail/cuflow-users/2008-April/000678.html

Dave

P.S. Thanks for your kind words, I'm glad to hear it's helping you out.
 
> I'm going to go ahead and attempt to fix this myself. If anyone has
> any comments or insights into the issue, I'd be happy to hear them.
> 
> Cheers,
> James Greenhalgh
> 
> On Tue, Apr 1, 2008 at 1:17 PM, James Greenhalgh
> <james.greenhalgh at gmail.com> wrote:
> > Hi all,
> >
> >  Firstly, I wish to say thank you to all the devs and contributers of
> >  flowscan (and flow-tools). I've been using it for a week or so now,
> >  and it's very, very useful and cool. :)
> >
> >  I'm using flowscan to monitor VOIP links. I wanted to see the
> >  breakdown of some of some UDP protocols so I added the following to
> >  CUFlow.cf...
> >
> >  Service 16384-32767/udp rtp
> >  Service 2427/udp,12728/udp,2727/udp mgcp
> >
> >  My problem is that a flow gets counted in service_<whatever>_dst.rrd
> >  *and* service_<whatever>_src.rrd if the source and destination ports
> >  both match a service type (say, RTP).
> >
> >  So, the following info taken using flowdumer (abbreviated)....
> >
> >  FLOW
> >   src IP:         10.12.23.136
> >   dst IP:         10.200.200.35
> >   src port:       26798
> >   dst port:       17892
> >
> >  ...gets counted as 2 streams (src RTP and dst RTP). I'm not saying
> >  this is necessarily a bug, as I can see how one might want to know
> >  this info.
> >
> >  The real problem is graphing this in CUGrapher. When I graph 'all
> >  services' there are 4 colours on my bars in both directions. Src RTP,
> >  Dst RTP, Src MGCP and Dst MGCP.
> >
> >  Src RTP=Dst RTP
> >  Src MGCP=Dst MGCP
> >
> >  Bandwidth is doubled in both directions (because everything is counted
> >  as 2 types of data). I get the following stats from a graph of 'all
> >  services'.
> >
> >  MGCP: 31.5% (out) 29.9% (in)
> >  RTP: 166.2%(out) 170.1%(in)
> >  Other Services: -97.6% (out) -100%(in)
> >
> >  I've had a good look in the flows using flowdumer, and there aren't
> >  any 'Other services' in there. I think this number must be generated
> >  because the sum is > 100%.
> >
> >  Has anyone else had this problem? Do I need to hack up the source to
> >  make pretty graphs of this stuff or has someone already solved this?
> >  If not, I'd be happy to help solve this as I'd really like to use this
> >  tool extensively.
> >
> >  I don't have this problem with transport layer protocols - I haven't
> >  done something silly like count all the data twice. There are no
> >  proxies, it's just simple routed data. One subnet to another.
> >
> >  Sorry if I've left out any info. I can clarify promptly if needed.

-- 
plonka at doit.wisc.edu  http://net.doit.wisc.edu/~plonka/  Madison, WI

More information about the flowscan mailing list