It (DNS resolution) also runs in a separate thread, with its own queue – precisely to keep from swamping the ntop host with long waits (for the remote DNS server to respond). Ultimately, it’s single threaded as to how fast your DNS server can (recursively) resolve a query. Having nTop support multiple resolves would take some code changes.
Not been a high priority because in general, nTop does MOST of its DNS resolution via sniffing out of packets. That’s faster and lightweight, but doesn’t work if nTop isn’t seeing the DNS traffic. It is surprisingly effective, once you realize that most traffic starts with a DNS query and response pair, before the – say – web page is retrieved. As Gary indicates, pathological cases such as a public facing mail server are better off disabling DNS resolution as they will NEVER catch up. Description: Burton 0.75 -----Burton From: [email protected] [mailto:[email protected]] On Behalf Of Gary Gatten Sent: Wednesday, May 25, 2011 8:58 AM To: '[email protected]' Subject: Re: [Ntop] NTop 4.0.3 Windows questions Ps: for dns, check your option and perhaps resolve local only? If you have many hosts visiting many sites, that's a lot of resolution that needs to be done. Email servers receiving spam are the worst, other than the obvious the make ntop generate a $hitload of dns queries. From: Gary Gatten [mailto:[email protected]] Sent: Wednesday, May 25, 2011 08:50 AM To: '[email protected]' <[email protected]> Subject: Re: [Ntop] NTop 4.0.3 Windows questions Do you have the source and binary? If source, are you willing to recompile as necessary? I'm not familiar with the windows version, but the *nix version has numerous helpful tweaks, but most require changes to "globals-defines.h" and a recompile. In the mean time, have you read the docs for all available run time options, such as sticky hosts? You mentioned you have sticky hosts enabled, does it seem to be working or are hosts still aging out? I recall a fairly recent post from someone where it "appeared" sticky hosts wasn't working. I don't recall the details here. But, if you're tracking "sessions"... Those will eventually always age out, but you can tweak the timers. For data retention perhaps start with the rrd plugin. You can tweak the level of detail stored and for how long. This may or may not meet your needs; historically some info has been memory resident only, not exported to rrd at all. There are other methods as well, such as sql, saving every packet to a file, netflow dumps, custom scripts, etc. Unfortunately I can't help much with those. How large and dynamic is your environment? Sticky hosts is usually a bad idea unless you're only tracking local hosts. Else, regardless how much RAM you have you'll eventually exhaust it and need to reboot. From: Abel, Jacob [mailto:[email protected]] Sent: Wednesday, May 25, 2011 07:19 AM To: [email protected] <[email protected]> Subject: [Ntop] NTop 4.0.3 Windows questions Hello all, Our company just purchased NTop for Windows and I have a few questions. 1. Is there a way to keep all data received? This morning we caught someone on a naughty site but then the info page for that IP address disappeared because the person hadn’t visited it in a while. I do have the sticky hosts setting enabled, but things are still disappearing. We don’t have any care about the amount of RAM it takes or the hard drive space, we want to save everything, at least for a month or so. 2. MySQL support. I installed MySQL on the same machine and put the username/pass into the settings page in NTop, and enabled saving of sessions and data. NTop apparently created an “ntop” database and two tables, but the tables are empty after having NTop on for a while… 3. DNS resolution. I noticed that NTop takes quite a while to resolve names, is there a way to speed this up? Thanks in advance for your help. Jacob Abel ms consultants, inc. "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
<<image001.jpg>>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
