So this is a big thing.
As you might know from reading my blog on my FYP progress: https://jonathansteward.co.uk/index.php/blog-post/fyp-progress-27th-feb/ that I’m using SNMP instead of NetFlow
There isn’t a good reason for this its just I’d prefer to keep things simple and poll an SNMP value, rather than set up a NetFlow server and deal with that.
But what we can do with SNMP is poll for both interface speed (oid : 1.3.6.1.2.1.2.2.1.5 – ifspeed in bits) and poll for the amount of data sent ( 1.3.6.1.2.1.2.2.1.10 – if in octets (8 bits) 1.3.6.1.2.1.2.2.1.16 – if out octets (8bits)).
You can then monitor the time between the polls in seconds and then get very close b/s which can be compared to the speed to identify the utilization.
HOWEVER
One important thing to note is that the counters above are only 32 bit counters, this is where I went wrong. With a Fast Ethernet (100Mb) link at full utilization, this counter will wrap around and re-initialize to 0 within around 4-5 minutes
I soon found my automation reporting back minus values for the b/s which I thought was very weird.
looking further into it there are actually 64 bit counters defined in this RFC https://www.ietf.org/rfc/rfc2233.txt from 1997! (page 14)
So the counters you’ll really want to poll are:
1.3.6.1.2.1.31.1.1.1.10 – ifHCOutOctets
1.3.6.1.2.1.31.1.1.1.6 – ifHCInOctets
Unless you have a 8000 Tb/s interface then you shouldn’t have any issues with using these counters! But if you do have an 8000 Tb/s interface I’m sure you already knew about the updated 64 bit counters and no doubt by then something more ingenious could be used to monitor utilization 😉