I have an ER-4 and I am experimenting with exporting sFlow data to PRTG to try and get some historical logging going on - to cover off those times when people will say "the Internet has been slow at this location for the past week, can't you fix it?". SNMP would give me the interface usage but I need a bit more than that, such as the source/destination of the traffic, and the traffic type. On the face of it, sFlow seems to be the answer. The config I have entered is:
ubnt@kd# show system flow-accounting
ingress-capture post-dnat
interface eth1
interface vti0
interface vti1
sflow {
agent-address auto
server 10.1.104.32 {
port 6343
}
}Everything else is default - I can't find any information that says what 'sflow sampling-rate' is set to if it's not specified, and it's not listed in 'show configuration all'. eth1 is my WAN, vti0 and vti1 are both VPN tunnels to other locations.
PRTG is receiving information, but it's behaving very strangely - peak throughput is shown as being 150Gbps which is clearly nowhere near accurate. I can observe the web UI of the device showing throughput in the Kbps as nobody is at this location at the moment, yet PRTG will show that in a 15 minute period three IP phones transferred 12GB of data between them, which isn't possible.
Does anybody have any pointers? I set 'sflow sampling-rate' to 500 just as a test in case the default was something silly like 1, and pushing 70MB of traffic through the router from a Speedtest showed over 1GB of throughput logged in PRTG, so things are off by a pretty huge amount.
