Hi
On Tue, May 07, 2002 at 06:16:50PM +0200, Luca Deri wrote:
> > in hash.c again and everything balanced around 17MB again.
> Good: please report me about this in the next days.
I will do so.
> > b) the serialCache.db is still a problem. Grew up to 1.4M in the first day
> > and does never shrink.
> > As you pointed out, this is a known issue. Seems as if I have to restart
> > ntop once a day to be safe :-(
> I will fix this soon, before 2.1. Stay tuned, it's a matter of time.
great to hear!
> > Regarding the netflow thing, the short explanation again. I do netflow
> > export on currently two of the four ethernet devices, each have it's own
> > ntop in it's own directory (e.g. /usr/local/ntop-eth0/). Each ntop uses a
> > filter like:
> > --filter-expression ether dst 00:02:B3:96:57:DD
> > So that only incoming packets are processed, not outgoing. This, too,
> > leaded to my problems that I have only incomplete TCP sessions, but is
> > necessary for the netflow system to work.
> Ok, but this is not a solution, just a workaround. As you know NF much
> better than me, what is the ultimate solution for this problem?
The ultimate solution would be the following. One process of ntop. The
ntop plugin then lets choose which interfaces will have netflow export
turned on and which don't. For every interface is only the half of the
sessions exported that came through that interface in, i.e. was received
by it, never what was send!
Little picture for the input-interface-accounting thing:
customer-N
|
|eth1
NTOP-N
|eth0
eth1 eth0 | eth0 eth1
INTERNET-W ---- NTOP-W ------ My Backbone ----- NTOP-E --- INTERNET-E
|
|eth1
NTOP-S
|eth0
|
customer-S
Let's imagine I have two upstream provides W and E (west,east,..) and only
two customers (south,north).
Now, example1, customer S produces traffic with customer N, then the traffic
will be accounted four times, NTOP-S at eth0 in, eth1 out, and on NTOP-N
at eth0 in and eth1 out. Then, when customer N replies, the packets go
through the same interfaces in reverse direction.
As we won't account every byte only once, netflow chooses to account it
at the point where it _first enters the provider backbone_. In this case,
the packages from S to N are accounted at eth0 of NTOP-S and the reply
packages from N to S at NTOP-N on interface eth1.
So at e.g. NTOP-S I have to manually disable the eth1 interface because it
points to the backbone and has no customers on it but in addition I must
say ntop never to export the bytes, it receives from eth1 and forwards to
eth0 because they must alreay be accountet on NTOP-W,NTOP-N or NTOP-E.
Packets that are originated by the router or destinated for him do not
need to be accounted necessarily if that's a problem. There's not much
traffic that the router produces itself except for some telnet/ssh sessions
and some remote loggin (I'm not sure how the ciscos behave there).
This is not easy for the current session handling.. but maybe you find a
way!
bye,
-christian-
--
Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0
[EMAIL PROTECTED] Internet & Security for Professionals Fax 0241/911879
WESTEND ist CISCO Systems Partner - Authorized Reseller
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
