I'm trying to diagnose some bandwidth problems at one particular remote site. At the moment, I'm concentrating on one particular server (a Novell site server, looking at NCP packets...tcp port 524 outbound from that server to addresses outside of that remote site).
I turned on ip accounting for that server's address and let it run for about an hour and a half. I also had NetFlow enabled and exporting flows and checked the same interface ip accounting is running on. When I look at the top 10 conversations for both, I'm noticing something I don't understand. The destinations on both sides are pretty much the same, but each conversation on the netflow side is larger by a factor of roughly 8-10x than the corresponding conversation on the ip accounting side.
I've also done a packet capture with wireshark on a previous day for the same sort of traffic for the same server and interface. The size of the data was more similar to the ip accounting results. I'm wondering if I've misconfigured something on the NetFlow side. Can someone help me figure out what might be going on here?