Is it truly non-ip traffic? Or is it "other" traffic - that which is not categorized into www, mail, nfs, etc.?
________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Barnaby Cockcroft Sent: Wednesday, November 03, 2010 2:16 PM To: [email protected] Subject: [Ntop] What is "non-IP" traffic, really? Apologies in advance if this is a question that's been answered before - but I haven't been able to find the question asked anywhere. If it's in the list archives, double sorry.... My ntop 4.0.3 installation (data source, sflow on Force10 C300 switch) permanently reads ~65% non-IP traffic. Regardless, it seems to paint a very accurate picture of our network traffic as I imagine it to be, just the right amount of memcache, nfs, mysql, etc. All the individual servers, likewise, note around the same amount of non-IP traffic. Currently, it's been running an hour or two, total traffic = 4.5GB, IP traffic = 1.6GB, non-IP traffic 2.9GB. ARP and STP between them add up to around 5MB. Running tcpdump randomly on my network shows next to zero non IP traffic, 99% of which is ARP anyhow. We run busy websites here, and there's a LOT of tcp traffic on the network. I sort of assume that somehow I might have noticed an EVEN HUGER volume of non-IP traffic on my switch, but maybe not. But if it's there, I don't have clue either what it is or where it's going. Can anyone tell me if there's a simple explanation for an ntop installation to mistakenly identify IP traffic as not IP, perhaps due to network or cpu load? Or, can anyone tell me how sflow categorizes a packet as non-IP, so I can trawl through all the packets coming into 6343 on the monitoring machine to see which packets are being marked as non-IP? Obviously, all the sflow packets hitting the machine are UDP/IP, but once past the IP header, how is the sflow part of the packet structured, and how/where does it categorize the packet as non-IP? Presumably the sflow sender packs up the individual packet it's sampled into one or more sflow packets, but here I'm just guessing. Also, I see this in the log, though less with 4.0.3 than I did with 4.0: Mon Nov 1 14:44:17 2010 **WARNING** packet truncated (8754->8232) Mon Nov 1 14:44:17 2010 **WARNING** packet truncated (8754->8232) Mon Nov 1 14:44:17 2010 **WARNING** packet truncated (8754->8232) It's not always 8754, sometimes 12450, 9698 or higher, but it's always 8232. That makes no sense to me either, as all the sflow packets are IP packets of around 1500 or less. Probably unrelated and maybe a bug based on the reading I've done? Oh and I found a couple of ntop installations open on the internet: both of them registered > 50% non-IP traffic too. Not a valid sample, of course. Any help would be much appreciated, Barnaby <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
