Hi
Bad news, I compared the data that ntop exports to the data that the
directly connected cisco exports on the interface where the linux box is
connected and got very different results.
I made several short time checks with only a couple of kb of data and
now a test over several hours. In the short time tests I also tried to
verify with "tcpdump -T cnfp -s 1500 -v -l -n port 2056" but there, too
were misses. As reference I took some "iptables" rules.
Some thoughts were I would like to hear your opion about are:
a) We use asymetric routing and I filter only input bytes that is I use
"ether dest 11:22:33:44:55:66" as ntop rule, so you will never have
a complete TCP connection. Maybe this irritates the connection routines?
b) When terminating the daemon I always get a *lot* of flows suddenly
exported. I guess that's because it holds them in the cache to wait for
more related/established packets to add them to this connection before
exporting it. Remembering a) I would guess that it would be much better
for me to lower that timeout.
At least that would help me verify the completeness of the data. Can you
provide me a hint where this is done?
bye,
-christian-
P.S.: now more info about the loss, first the tested network:
--one-upstream---|the ntop router|---|cisco|-----{WESTEND network}
\ | |
netflow test netflow other upstreams
collector collector
The load should be no problem, the netflow collecor is used to handle a lot
more packets as the few that ntop exports!
ntop itself was started like this:
bin/ntop -u ntop -n -M -t 4 -u ntop -L -i eth2 -w 212.117.75.92 3002 \
ether dst 00:02:B3:96:57:D7
The MySQL data from the test host (first is the time the flow reaches the
router, dPkts are delta Packets and dOctets are the Bytes. c is the number of
entries):
+---------------------------+---------------------------+------------+--------------+----------+
| from_unixtime(min(first)) | from_unixtime(max(first)) | sum(dPkts) | sum(dOctets) |
|count(*) |
+---------------------------+---------------------------+------------+--------------+----------+
| 2002-04-10 18:21:09 | 2002-04-10 23:59:27 | 155099 | 71544184 |
| 48990 |
+---------------------------+---------------------------+------------+--------------+----------+
+---------------------------+---------------------------+------------+--------------+----------+
| from_unixtime(min(first)) | from_unixtime(max(first)) | sum(dPkts) | sum(dOctets) |
|count(*) |
+---------------------------+---------------------------+------------+--------------+----------+
| 2002-04-11 00:00:05 | 2002-04-11 10:59:59 | 3240563573 | 333397334 |
| 230735 |
+---------------------------+---------------------------+------------+--------------+----------+
and from the real host (sdP is sum(deltaPkts):
+---------------------+---------------------+--------+--------------+-------+
| t0 | t0 | sdP | sum(dOctets) | c |
+---------------------+---------------------+--------+--------------+-------+
| 2002-04-10 18:21:02 | 2002-04-11 00:00:00 | 296079 | 115251405 | 25524 |
+---------------------+---------------------+--------+--------------+-------+
+---------------------+---------------------+---------+--------------+-------+
| t0 | t0 | sdP | sum(dOctets) | c |
+---------------------+---------------------+---------+--------------+-------+
| 2002-04-11 00:00:02 | 2002-04-11 10:59:58 | 1187703 | 626347470 | 99052 |
+---------------------+---------------------+---------+--------------+-------+
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop-dev
