From owner-freebsd-stable@FreeBSD.ORG  Thu Jul 10 14:20:33 2014
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id EC47F90B;
 Thu, 10 Jul 2014 14:20:33 +0000 (UTC)
Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "vps1.elischer.org",
 Issuer "CA Cert Signing Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BE6A32F91;
 Thu, 10 Jul 2014 14:20:33 +0000 (UTC)
Received: from Julian-MBP3.local
 (ppp121-45-236-203.lns20.per1.internode.on.net [121.45.236.203])
 (authenticated bits=0)
 by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id s6AEKRC4058415
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
 Thu, 10 Jul 2014 07:20:30 -0700 (PDT)
 (envelope-from julian@freebsd.org)
Message-ID: <53BEA125.6010400@freebsd.org>
Date: Thu, 10 Jul 2014 22:20:21 +0800
From: Julian Elischer <julian@freebsd.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Cristiano Deana <cristiano.deana@gmail.com>,
 FreeBSD Stable Mailing List <freebsd-stable@freebsd.org>,
 FreeBSD net <freebsd-net@freebsd.org>
Subject: Re: ng_netflow
References: <CAO82ECHDQTnFndHpaHKJTVZN4JJFUW=n4Sw82oO2sY1uNR_8Hw@mail.gmail.com>
In-Reply-To: <CAO82ECHDQTnFndHpaHKJTVZN4JJFUW=n4Sw82oO2sY1uNR_8Hw@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jul 2014 14:20:34 -0000

On 7/10/14, 4:13 PM, Cristiano Deana wrote:
> Hi all,
>
> I have a bsd box as a router, with 4 vlan interfaces.
> I started collecting flow data with softflowd and analyze them (in a
> separate machine) with nfsen, but softflowd is taking too much cpu
> (for the busiest interface up to 20%), so i tried to switch ONE
> interface to ng_netflow.
>
> I configured the same as the man page, but results are... odd.
>
> Measure are wrong. I mean, graphs collected from softflowd show the
> right amounts of packet/flows/data, the ones collected with ng_netflow
> are wrong.
> packets and flows are lower then expected, traffic is MUCH LOWER than
> expected (1/10).
>
> Any hint to debug or anyone with similar experience?

Is it possible that  you are working with an interface that has TSO on?
if so then netgraph will be seeing huge "aggregate" packets rather 
than the normal packets.
so teh number of packets may be out by more than a factor of 30.

I have never used the ng_netflow node, but try turning off TSO if you 
have it on and see if that makes a difference.
failing that you might just look a the source of the ng_netflow module 
(ng_netflow.c) for ideas.
netgraph nodes are relatively simple.. they have an entry point where 
packets turn up and they call the same method in some other module..



>
> Thank you
>