hi there,
I'm analyzing NetFlow traces from Abilene (which uses Juniper, of
course) and I'm seeing a periodic pattern in the traces. I know about
the activity and inactivity timeouts that can be set in JunOS to
control flow exports, but in the data I'm analyzing it seems like
there is some kind of global clock that flushes the flow cache every
minute. I mean the router exports *all* flows which are active at the
end of a time bin of one minute. Because of this, the flow records
look like they are binned in 1 minute intervals.
By the way, I'm not talking about any manipulation done by the
collector. I'm really looking at the FIRST and LAST time stamps
contained in each flow record. Can anyone tell me if there is such a
timer in JunOS, i.e., flushing the flow cache every minute (or an
interval defined as a parameter)?
Thanks in advance and happy Hew Year!
Fernando Silveira
I don't know about Juniper routers, but there's such a setting in Cisco routers, it's called the active flow timer. If you don't use it and don't tell your collection/analysis system what setting you've used (most folks use between 5 minutes for traffic analysis down to one minute for security-related analysis), you end up with backlogged stats which aren't chronologically representative of the actual traffic, and your graphs are all jagged and useless.
My guess would be that Juniper have a similar construct for a similar purpose. Most collection/analysis systems of which I'm aware take this setting into account, as long as you tell them what interval you're using. It's generally considered highly desirable to make use of this functionality, for the aforementioned reasons.
hi Roland,
actually I believe the patterns I'm talking about are not caused by
the activity timer.
As fair as I know, the activity timer exports a flow which has been
active for too long. Therefore, it should be counted from the
beginning of the flow (its first packet), right? The patterns I'm
talking about would imply an absolute clock (independent of any flow)
ticking every minute, and flushing the entire flow cache. The result
of this would be the binning effect I mentioned.
The patterns I'm talking about seem really specific to Juniper
routers. I have another set of traces (which I believe come from Cisco
routers) and they don't have the periodic flow export pattern I'm
referring here.
I have two or three plots that show in detailed what I'm trying to
explain, but I'm not sure I can post them here. If you'd like to see
them I can send them to you (or anybody interested) or I could post it
on the web and send you the URL.
Thanks for the quick reply!
Fernando
Yes, what you're describing is in fact different from the Cisco active flow timer. The Cisco active flow timer is set relative to the beginning of the flow, as you indicate, and not a system-wide purge of the entire cache (I didn't parse that properly in your initial query, apologies) on some sort of fixed-time basis.
There are folks involved in various NetFlow collection/analysis efforts on this list, I'm sure one of them or someone from Juniper will respond. juniper-nsp might also be a good place to ask.