I'm trying to diagnose some bandwidth problems at one particular
remote site. At the moment, I'm concentrating on one particular server
(a Novell site server, looking at NCP packets...tcp port 524 outbound
from that server to addresses outside of that remote site).

I turned on ip accounting for that server's address and let it run for
about an hour and a half. I also had NetFlow enabled and exporting
flows and checked the same interface ip accounting is running on. When
I look at the top 10 conversations for both, I'm noticing something I
don't understand. The destinations on both sides are pretty much the
same, but each conversation on the netflow side is larger by a factor
of roughly 8-10x than the corresponding conversation on the ip
accounting side.

I've also done a packet capture with wireshark on a previous day for
the same sort of traffic for the same server and interface. The size
of the data was more similar to the ip accounting results. I'm
wondering if I've misconfigured something on the NetFlow side. Can
someone help me figure out what might be going on here?

On Dec 17, 1:50=A0pm, pfisterfarm <pfisterf...@gmail.com> wrote:
> by a factor
> of roughly 8-10x

Someone elsewhere posted the obvious answer... the netflow side was
set to bits, not bytes, as I had thought it was... sorry!