[Ntop-misc] nProbe bw limiting patch submission

Mon Nov 22 21:32:21 CET 2004

Hiya--

First off, we're happy users of nProbe. 

Due to some routing changes in our campus exit, we would have had to 
convert to sflow accounting from netflow 5. That change is fine for 
accounting, but we depend on the 100% (no sampling) results of netflow for 
some security efforts, including auto-disabling users infected with windows 
scanning worms based on sequential scanning.

We implemented nProbe, and were super excited by the results-- it kept
up with our exit traffic (a sustained 500Mb/s or so split across two
boxes/paths, peak flow exports of about 12000 flows/s, sustained rates
of 6-8K,  mostly all small udp packets because we don't ban p2p file
sharing or similar stuff).  

However, what we ran into was that nProbe was TOO efficient. Our nProbe 
platforms (nice little 1U p4 2Ghz systems with a pair of gig-e interfaces) 
massively outpaced our collector host, which is an older solaris box. 
nProbe flushed flows in a burst that was too large for our caching on 
the collector, even after we tweaked it and the server up a lot.

And when implemented the -e "delay between packets" option, we couldn't 
export our traffic fast enough. On our boxes, under linux 2.4 kernel, the 
minimum sleep time was 20ms. This means that at best, with any delay
at all, we could only export 50 packets/s, which translated to about
1500 flows/s. 

So, I've implemented the following patch that adds the -B (batch) option: 
send this many packets before delaying -e ms. We set this to burst 20 
packets out and then pause, which has us now exporting at a rate that keeps 
the collector happy and also lets the probes drain all flows out.

Thanks much for the tool, and I hope this is useful to someone!


-- 
Mark Notarus
Network Engineer
University of Illinois, Urbana-Champaign


--------------------------------------------

--- nprobe.c	Fri Oct  8 16:01:15 2004
+++ nprobe.c.org	Fri Oct  8 15:53:06 2004
@@ -76,8 +76,6 @@
 u_long numAdds=0;
 struct timeval initialSniffTime, lastExportTime;
 u_short flowExportDelay, scanCycle=30 /* sec */;
-u_short packetFlowGroup; /* # packets to send before we delay */
-u_short packetSentCount=0; /* packets sent before a delay */
 #ifdef USE_SYSLOG
 char nprobeId[255+1];
 #endif
@@ -783,7 +781,7 @@
   printf("-w <hash size>     | Flows hash size [default=%d]\n", hashSize);
   printf("-e <flow delay>    | Delay (in ms) between two flow exports [default=%d]\n",
 	 flowExportDelay);
-  printf("-B <packet count>  | if set, send this many packets before the -e delay [default=%d]\n",packetFlowGroup);
+
   if(minFlowSize == 0)
     strcpy(buf, "unlimited");
   else
@@ -1248,8 +1246,7 @@
 
 void sendNetFlow(const void *buffer, u_int32_t bufferLength, u_char lastFlow) {
   u_int32_t rc = 0;
-  static u_short collectorId = 0,canPause=1;
- 
+  static u_short collectorId = 0;
 
 #ifdef DEMO_MODE
   if(globalFlowSequence > MAX_DEMO_FLOWS) return;
@@ -1280,31 +1277,12 @@
 #endif
 
   if(numCollectors == 0) return;
-  /* if -B packetFlowGroup is set, we'll set
-   canPause if we've sent packetFlowGroup packets
-   then we'll pause for flowExportDelay  */
-  if(packetFlowGroup>0){
-    canPause=0;
-    if (lastFlow){
-      packetSentCount=0;
-    }
-    else{
-      packetSentCount++;
-      if (packetSentCount==packetFlowGroup){
-        if(traceMode)
-          traceEvent(TRACE_WARNING, "Pausing %d ms because we've sent %d packets", flowExportDelay, packetSentCount);
-        //pause
-        canPause=1;
-        packetSentCount=0;
-      }
-    }
-  }
 
   /*
     This delay is used to slow down export rate as some
     collectors might not be able to catch up with nProbe
   */
-  if((flowExportDelay > 0) && (!lastFlow) && canPause) {
+  if((flowExportDelay > 0) && (!lastFlow)) {
 #ifndef WIN32
     struct timespec timeout;
 
@@ -1798,7 +1776,6 @@
   minFlowSize = 0;
   traceMode = 0;
   flowExportDelay = 0;
-  packetFlowGroup = 0;
   engineType = 0, engineId = 0;
   useNetFlow = 0xFF;
   computeFingerprint = 0;
@@ -2593,13 +2570,7 @@
   if(ignoreTcpUdpPorts)
     traceEvent(TRACE_INFO, "UDP/TCP ports will be ignored and set to 0.");
 
-  if (packetSentCount>0 && flowExportDelay==0){
-    traceEvent(TRACE_INFO, "-B requires that you also set -e. Clearing packet count.");
-    packetSentCount=0;
-  }
-  if (packetSentCount>0 && flowExportDelay > 0)
-    traceEvent(TRACE_INFO, "After %d flow packets are sent, we'll delay at least %d ms", packetSentCount,flowExportDelay);
-  else if(flowExportDelay > 0)
+  if(flowExportDelay > 0)
     traceEvent(TRACE_INFO, "The minimum intra-flow delay is of at least %d ms", flowExportDelay);
 
   if(numCollectors > 1) {

