When accessing management variables such as traffic counters over SNMP, you should be aware of the following: The SNMP agent on a managed device (e.g. a router) may not "see" changes in the underlying values immediately. In particular for measurements in the "fast path", a common implementation strategy is to periodically retrieve these values from wherever it is collected. On some well-known high-performance routers, the update interval for the interface traffic counters (e.g. ifInOctets=/=ifOutOctets) is as long as 10-30 seconds. When one attempts to measure interface load with finer time resolution - e.g. per-second, or once-every-five-seconds samples - the results will be confusing: often, subsequent measurements will return the same counter value, resulting in a zero rate. When the interface counters are retrieved by the agent, the next measurement will result in an abnormally high rate.
Countermeasures
Faster interface counter updates on Cisco IOS
There are two commands that are supposed to control how often the SNMP counters are updated:
service counters max age seconds
Configures the maximum "age" of cached counters, in seconds. I tested this on a Cisco 7600 router, and found this to work: With service counters max age 1, the counters are updated about once per second. With service counters max age 0, all caching in the SNMP agent seems to be suppressed, and even sub-second polling gives sensible results. TODO: Test whether this also affects other counters, e.g. "Modular QoS CLI" counters.
snmp-server hc poll centiseconds
Hidden command that configures how often the HC (high capacity) counters are polled. My tests on a Cisco 7600 router haven't been conclusive: The command was accepted, but didn't seem to have any effect.
Alternative measurement methods
Other methods may be more suitable for fine-grained measurements: For example, capturing traffic on a host using a hardware tap or some variant of port copy (SPAN or similar).
-- SimonLeinen - 09 Aug 2009