[netsa-tools-discuss] Testing flowcap

[Matthew Markland]

All:

I've been struggling with some testing of flowcap that I've been attempting. What I have is a pcap file containing actual netflow packets (i.e. the UDP packets with NetFlow records) which I then replay onto the network targeting a flowcap instance. I do all the dirty work to spoof addresses so that the destinations look right. I then vary the delay between sending UDP packets to try to simulate different rates of traffic arriving at flowcap.

I know of one significant problem with this plan; that is templates. If my recording doesn't happen to catch needed templates, flowcap will drop (a possibly large number of) flows. However, I'm also seeing inconsistent behavior between runs with the same delay and input file. It appears that sometimes flowcap doesn't recognize or expires the templates. I have not been able to get any consistency with the above testing process.

So, I'm going to ask; how does your group test flowcap? My guess is that you have a pcap file of traffic that you run through YAF and then feed that output into flowcap. That doesn't seem to give you a way of testing the maximum flow count you can handle unless you have a way of generating enough traffic in the pcap file to overload it.

A secondary question is whether the method we are currently using could be made to work better. Do we need to rewrite the pcap file time stamps to make things work out better?

Thanks for your time!

Matt
----
Matthew Markland
mwmarkland at outlook.com

 		 	   		  
-------------- next part --------------
HTML attachment scrubbed and removed