Unless something has RECENTLY changed, "Session Tracking" was disabled several releases ago and has not been activated again - at least to my knowledge. Not sure if enabling/disabling session handling has any effect or not?
As for interfaces, it includes logical interfaces (VLANs, SVI's, etc.) and the interfaces numbers are determined by IOS - I forget how, but you can view them by: "show snmp mib ifmib ifindex". So, you will get some sort of display for each unique interface from each unique exporter. If the number of interfaces ntop sees are much different than the number of interfaces on your exporter (6500), then something is not right. I have a switch with a very similar IOS to yours. Let me check a few things and get back to you after lunch. G -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Marc Mazuhelli Sent: Friday, July 16, 2010 9:51 AM To: [email protected] Subject: Re: [Ntop] Ntop 3.4-pre3 and Netflow problem: thousands of "interfaces" ? Hello, Regarding the Netflow version we are using, I was told that the version of IOS we're running didn't support v9 (which surprises me as I thought it was pretty current) so we tried it with v7 at first. Here's a more complete list of the commands that were entered to activate Netflows: ! global command By default mls nde sender send version7 packet mls netflow interface mls flow ip interface-full mls nde sender ip flow-export source Loopback0 ip flow-export destination 10.45.7.36 2055 ! interface specific command ip flow ingress A "show version" returns: Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXI2, RELEASE SOFTWARE (fc3) After Gary's comment: > Stick with v5 unless you need something v9 provides (and ntop consumes). I asked to change the version to v5, deleted the old Netflow-device.2 interface, did a "rm -rf rrd/interfaces/NetFlow-device.2" once again, recreated the Netflow interface with the same parameters as before except one: I left the "enable session handling" to "no" instead of setting to "yes" as before, and restarted ntop. Things have improved: I don't have thousands of lines in the "Netflow => Statistics" anymore after running only 10-15 minutes, I have only about 50, but the number is slowly increasing and I am wondering if the same thing (more than 32000 files in the rrd directory) will not happen after running for many hours or days. In "Netflow=>Statistics", I now have 3 different tables with 3 "devices": ====================================================================== Device 1 - NetFlow-device.2 { 12 lines that all have "10.1.254.254:53853" in the "NetFlow Device" column, numbers between 42 and 60 in the " Interface Name/Id" column and varying numbers of packets and bytes, followed by a summary stating 99 packets containing 2871 flows received and processed } Device 2 - NetFlow-device.2 { 52 lines that all have "10.1.254.254:53853" in the "NetFlow Device" column, numbers between 0 and 62636 in the " Interface Name/Id" column and varying numbers of packets and bytes, followed by a summary stating 21,022 packets containing 597,893 flows received with 18,996 "lost flows" } Device 3 - NetFlow-device.2 { 57 lines that all have "10.1.254.254:53853" in the "NetFlow Device" column, numbers between 0 and 13395 in the " Interface Name/Id" column and varying numbers of packets and bytes, followed by a summary stating 18,784 packets containing 541,546 flows received } ====================================================================== I suspect that a new "Device" is created every time I enable Netflow or create a new Netflow device (I deleted and recreated the Netflow interface a few times and even disabled the Netflow plugin completely once). On successive reloads of the page, only the third table changes, I guess the two other ones contain historical data and only the third one is current. Is this normal? Even though the problem is not as severe as before, I don't think all these "Interface IDs" should be created with only one Netflow session feeded into ntop. Last minute addition: in the 15-20 minutes it took me to compose this e-mail, the number of files in the "rrd/interfaces/NetFlow-device.2/NetFlow" directory increased from 35 to 63. Each file corresponds to a "Interface Name/ID". We're far from 32000 as before, but the number is slowly increasing all the time. Thanks a lot for your help! Marc. On 10-07-14 19:09, Gary Gatten à [email protected] wrote : > I don't know what "mls netflow interface" is or does. Perhaps my IOS version > does something similar with different syntax. > > Nonetheless... I don't see a flow version specified. Stick with v5 unless > you need something v9 provides (and ntop consumes). > > If you want to post a capture of a flow record I'll compare to mine - or you > can compare to the docs on v5 records. Also, you may want to delete all > netflow confs in ntop and start over. Other than that I'm running out ideas. > It pretty much just works IF the flow exporters are configured correctly for > your environment. > > ----- Original Message ----- > From: [email protected] <[email protected]> > To: [email protected] <[email protected]> > Sent: Wed Jul 14 15:17:36 2010 Subject: Re: [Ntop] Ntop 3.4-pre3 and Netflow > problem: thousands of "interfaces" ? > > Hello, > > On our Catalyst 6500 the only options that are available are: > > 6500A(config)#mls flow ip ? > interface-destination interface-destination flow keyword > interface-destination-source interface-destination-source flow keyword > interface-full interface-full flow keyword > interface-source interface-source only flow keyword > > So it seems that "mls flow ip full" is not available. > > Here is the netflow config that was provided to me by my colleague from the > networking team: > > mls netflow interface > mls flow ip interface-full > > Regards, > Marc. > > > On 10-07-13 14:54, Gary Gatten at [email protected] wrote : > >> In my CAT I have "mls flow ip full". LanCope recommends: "mls flow ip >> interface-full" >> >> I *think* I started with the "interface-full" and switched back to "full" for >> some reason - probably testing that I didn't follow up on. >> >> FYI: >> http://netflowninjas.lancope.com/blog/2010/05/always-use-mls-flow-ip-interfac>> e >> full-when-enabling-netflow-on-the-catalyst-6500.html > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > <font size="1"> <div style='border:none;border-bottom:double windowtext > 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be > reviewed by only the intended recipient and may contain information that is > privileged and/or confidential. If you are not the intended recipient, you > are hereby notified that any review, use, dissemination, disclosure or > copying of this email and its attachments, if any, is strictly prohibited. > If you have received this email in error, please immediately notify the > sender by return email and delete this email from your > system." </font> _______________________________________________ Ntop mailing > list [email protected] http://listgateway.unipi.it/mailman/listinfo/nt > op _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
