For fun try disabling name/ip resolution. ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Thu Jun 17 12:31:06 2010 Subject: [Ntop] Track Local Hosts Abnormal CPU Usage
Hi, I've been implementing NTOP over the past few weeks, and overall it is just an awesome program =) However recently I have been having some problems with CPU Usage, which is therein causing a huge amount of dropped packets from libpcap. Just some background information, I am running on CentOS 5.5, and my command line args are as follows: -u ntop -w 3000 -i bond0 -m 128.100.179.0/24,142.151.0.0/16,10.10.0.0/16 -L -P /ntop/rrd -d -x 4000 I've been having some weird issues with NTOP shooting up to 100% CPU usage, then libpcap dropping packets (I assume due to not having any CPU cycles to capture them!). My compiled installation was working fine, until I noticed that NTOP was hitting the 8192 host maximum without the "-x" flag set. At this point I did not notice any libpcap dropped packets. THEN, I started playing around with the -x flag, setting it to 20000 in order to see if I would reach that cap (I did, because I still had remote hosts being added). After trying -x 20000, the libpcap started to drop tons of packets, so I removed the -x flag, going back to the 8192 default, but now for some reason I was getting dropped packets even at this host count. I tried cleaning out some preferences (fingerprint.db macPrefix.db prefscache.db) and the RRD directory, but this didnt help. Since I couldnt get NTOP back to it's original state of 8192 hosts working fine, I played with the -x setting until I found <1% dropped packets over an hour period at the 4000-5000 range. (I feel I should mention that when I say "drop tons of packets" I mean like 50%-300% although I dont quite understand how that is possible). Now, upon perusing the man ntop page some more I find the --track-local-hosts option, which would be perfect for our implementation. However, upon enabling that, even though ntop is now only seeing ~150-250 local hosts, it shoots up to 100% cpu usage, and libpcap starts to drop packets. So my question is, is there any way to get my ntop to run --track-local-hosts without so much CPU usage? Or are there some inherent heavy cpu operations that are doing this? The server is a ~2.2GHz Intel, with 1GB of ram, just a backup server, but I thought it would be able to handle ntop fine. The average network load with the 4000 host cap is ~5000 packets per second. Is this something NTOP is able to handle with some tweaks? Or must I install PF_RING in order to handle these packets correctly? Thanks, Nick _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
