On Thu, 4 Mar 2004, Burton M. Strauss III wrote:
> It sounds like your network is running through devices (typically switches
> and routers, proxies are also possible) that rewrite the packets so that
> they all appear to come from the same few hosts. Note in the log how few
> hosts are shown...
> > Host/Session counts - Device 0 (eth2)
> > Stored hosts.....22
> > Host/Session counts - Device 1 (eth2:0)
> > Stored hosts.....0
> > Host/Session counts - Device 2 (eth0)
> > Stored hosts.....1
> > Host/Session counts - Device 3 (eth0:0)
> > Stored hosts.....0
> > Host/Session counts - Device 4 (eth1)
> > Stored hosts.....1
> > Host/Session counts - Device 5 (eth1:0)
> > Stored hosts.....0
> > Host/Session counts - Device 6 (lo)
> > Stored hosts.....1
The low count was caused from having run it for just a short period.
Compare it with one I was running for 5 minutes :
Host/Session counts - Device 0 (eth2)
Stored hosts.....21874
Host/Session counts - Device 1 (eth2:0)
Stored hosts.....0
Host/Session counts - Device 2 (eth0)
Stored hosts.....1
Host/Session counts - Device 3 (eth0:0)
Stored hosts.....0
Host/Session counts - Device 4 (eth1)
Stored hosts.....1
Host/Session counts - Device 5 (eth1:0)
Stored hosts.....0
Even though all the traffic is passed through this gateway box, it is only
being accounted for on eth2. Okay by me if it's okay by you :).
> There are write-ups on this in docs/FAQ - it has to do with the hybrid layer
> 2/layer 3 nature of ntop. If the layer 2 data isn't valid, you will see odd
> results.
> Try telling ntop to ignore the MAC addresses via this switch:
> -o | --no-mac
> The other thing that can confuse ntop is bogus data in an /etc/hosts file -
> esp. if you have one which tries to fake out ad servers by routing them to
> 127.0.0.1 - the OS call, gethostbyname() can return an unexpected value.
> But I'd bet on -o
Tried it, but still no remote. Ran ntop on another host that was on
another network and it reported local<->remote correctly. So there is
something _special_ about this gateway setup :).
Some background. This computer divides a class B address space from the
Internet. On the class B are over 160,000 clients spread over 600+ sites.
At any time thousands of users are going through this PC. This box is also
participating in an OSPF routing environment and houses over 8,000 routes.
I've tried (on a whim) updating MAX_SUBNET_HOSTS to 65536 with no success.
After it runs for a few minutes on this busy system I start failing to get
to ntop's "summary->hosts" web pages with the following being logged :
**ERROR** http generation failed, alarm() tripped. Please report this to ntop-dev list!
Some times this does not occur for quite a while.
DNS entries are still coming up wrong on both boxen tested.
The "summary->traffic" information always appears to be correct.
This is all from today's CVS.
Any other things I can try, please let me know,
JES
--
James B. MacLean [EMAIL PROTECTED]
Department of Education
Nova Scotia, Canada
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
