How about the stats from the plugin itself? -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of R.H.Hoek Sent: Friday, June 03, 2005 9:15 AM To: [email protected] Subject: [Ntop-dev] netflow-plugin misses packets
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear Ntoppers, Some weeks ago I already mentioned that I experience some problems with Ntop in combination with Netflow from a Cisco6509 with supervisor2. Some of you gave me some hints, but nothing couldn't solve my problem (see below). The problem is that the Netflow-plugin misses about 40-60% of the netflowpackets send by the Cisco6509. Some figures: Last night, in a period of about 17 hours the Cisco has sendout 31,274,087 flows in 1,073,210 packets. The Netflow-plugin reports it received 16,035,229 valid flows in 548,345 packets. The plugin reports no discarded flow. My first though is that it is not the hardware. I (can) run Ntop on two different systems, but experience on both the same problem: System1: Dual-Xeon 3.2GHz, 5GB RAM, with 4 disks in two hardware SCSI raidsets (RAID1)(18GB,73GB) and 100M/1G Ethernet interface with a 100Mbps networkconecction. On this system the OS is SuSE-UnitedLinux 8. (2.4 kernel) System2(originally meant for probe): Dual-Xeon 3.2GHz, 3GB RAM, with 2 disks in a hardware SCSI raidsets (RAID1)(18GB) and 100M/1G Ethernet interface with a 100Mbps networkconecction. On this system the OS is Debian Sarge 2.6 kernel. I have done testing with Ntop 3.1 and the latest CVS versions -> same results. With tcpdump I did some counting. The conclusion is that the packets send by Cisco6509 are received on the system Ntop is running on, but are discarded/missed by the Netflow-plugin Answers on some questions: 1) Ntop is running with --interface-none, --track-local-host and the Netflow pseudo-nic is selected. 2) Even, with RRD-plugin is set to low-detail, and data to dump is 'none' does not solve the problem 3) for testing I have incremented MAX_SUBNET_HOSTS to 8192/16384 in globals-defines.h. Load avg 0.14 (98% idle) The memory usage is about 1.8GB (3.3 GB free) after 1 hour Ntop is started. 4) The load graph and (traffic)protocol-distribution should display the total network load of the Cisco6509 when the pseudo-nic is selected. I have seen this on a Ntop system with low netflowtraffic. 5) In a test config the Cisco-Netflow is first send to system2 and redistributed with flow-fanout to system1 running Ntop. On system2 I do flow-capture and flow-stat. When I compare this output with Ntop-output, the differences are very large as of 5min net workload and protocol distribution. 6) The average netflowstream is about 20 packets/s. But I have seen bursts of 900 packets/s I think that the last point is possibly the problem. With these bursts the netflowplugin inputbuffer is overloaded ? Is there a way to tune this buffer? Or does anybody else has some hints? - -- Groeten, Roel H.Hoek, SeniorNetworkmanager Dienst Informatietechnologie, Bibliotheek en Educatie (ITBE) Universiteit Twente, Postbus 217, 7500 AE Enschede kmr SP 422, telefoon: 053 - 489 4598, fax: 053 - 489 2383 e-mail: [EMAIL PROTECTED] http://www.utwente.nl/itbe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCoGYAJwlRSGnYBcYRAmsnAKCzISZTL9WI9EQ49ybIS6g/KWd+9gCbBzq0 udqAAxrwiUnE4p3KgsXv+hA= =otbw -----END PGP SIGNATURE----- _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
