The simplest sampling configuration you can find in Netflow v5. Each packet carries sampling rate and FastNetMon can read it directly and it does not need any configuration. Also, for Netflow v5 FastNetMon ignores configuration options netflow_sampling_ratio even if you set it explicitly.
For Netflow v9 and IPFIX sampling information carried in special “options data” packets. Because Netflow v9 and IPFIX are extremely flexible protocols and each vendor can add new fields these protocols also use “template options” packets. They carry information about available fields in “options data” packets.
To decode information in “options data” packets each collector should read “template options” packets before.
To debug Netflow v9 or IPFIX sampling rate learning FastNetMon exposes number of useful counters.
First of all, we need “options templates” packets to decode “options data” packets:
sudo fcli show system_counters | grep options_templates_number netflow_v9_options_templates_number 2 ipfix_options_templates_number 3
After that, FastNetMon should read “options data” packets:
sudo fcli show system_counters | grep options_packet_number netflow_v9_options_packet_number 3 ipfix_options_packet_number 3
Finally, FastNetMon should extract sampling information from “options data” packets and it has counter about it too:
sudo fcli show system_counters | grep custom_sampling_rate_received netflow_v9_custom_sampling_rate_received 20 ipfix_custom_sampling_rate_received 3
It means that FastNetMon decoded all these packets and successfully extracted sampling rate.
FastNetMon can maintain custom sampling rate for each devices and you can get list for all automatically extracted sampling rates this way:
sudo fcli show netflow_sampling_rates 10.12.22.1 1000
For IPFIX protocol you can use this commands to get per device sampling rates:
sudo fcli show ipfix_sampling_rates 10.12.22.1 1000
In addition to this, FastNetMon print following log messages on debug level (sudo fcli set main logging_level debug):
[DEBUG] Learnt new Netflow v9 sampling rate 1000 for 10.10.10.1 [DEBUG] Learnt new IPFIX sampling rate 1000 for 10.10.10.1 [DEBUG] Change Netflow v9 sampling rate from 10 to 1000 for 10.10.10.1 [DEBUG] Change IPFIX sampling rate from 10 to 1000 for 10.10.10.1
In some cases, when vendor uses very unusual encoding way, FastNetMon cannot extract this information automatically and you can specify it manually this way. FastNetMon will use this information if it does not receive “options” packets from your router.
sudo fcli set main netflow_sampling_ratio 1000 sudo fcli commit
In all cases for Netflow v9 and IPFIX protocols sampling rate received from router has priority over information specified in configuration.
You can explicitly ignore sampling announcements from routers and use value from configuration this way:
sudo fcli set main netflow_ignore_sampling_rate_from_device enable sudo fcli commit
In some cases you may need ability to override sampling rate on per device basis and FastNetMon allows you to do so this way:
sudo fcli set main netflow_v5_per_router_sampling_rate 11.11.11.11=10000 sudo fcli set main netflow_v5_per_router_sampling_rate 22.22.22.22=10000 sudo fcli set main netflow_v9_per_router_sampling_rate 11.11.11.11=10000 sudo fcli set main netflow_v9_per_router_sampling_rate 22.22.22.22=10000 sudo fcli set main ipfix_per_router_sampling_rate 11.11.11.11=10000 sudo fcli set main ipfix_per_router_sampling_rate 22.22.22.22=10000
To remove override value you need to use following syntax:
sudo fcli delete main netflow_v5_per_router_sampling_rate 11.11.11.11 sudo fcli delete main netflow_v9_per_router_sampling_rate 11.11.11.11 sudo fcli delete main ipfix_per_router_sampling_rate 11.11.11.11
FastNetMon features option to save sampling rates received from all your devices into persistent file. It helps to avoid traffic drops during restart when FastNetMon did not receive sampling rate from device yet. It’s enabled by default for all new installation and can be checked that way:
sudo fcli show main netflow_sampling_cache
FastNetMon saves sampling rates to following files: netflow9_sampling.dat and ipfix_sampling.dat which reside in folder /var/cache/fastnetmon. If you want FastNetMon to forget sampling rate for particular device you can remove them.
Recommended sampling rate values
According to real amount of traffic in network we suggest following sampling rates:
| Bandwidth | Sampling rate |
| 100 Mbit | 500 |
| 1 Gbit | 1000 |
| 10 Gbit | 2000 |
| 40 Gbit | 4000 |
| 100 Gbit | 5000 |
If your sampling rates does not match these values then you may experiences bandwidth calculation inaccuracy and potential issues with attack detection. We strongly advice to follow these recommendations.