Hi Guys I have some unexpected behaviour from my ntopng installation. I've very recently started using ntopng, so I'm not sure if what I'm observing is correct or an issue.
I'm running an instance ntopng that I built from r7148 on Raspberry Pi. I've configured ntopng to listen to an interface (interface 3, eth1) that is a port mirror of my WAN connection via a Netgear GS108E switch. The connection is lightly loaded at approx 100MB over 30 mins. Is the following behaviour working correctly ... ? Packet data is accumulated. Looking at a particular host via the web interface, all looks good. I can see sensible total traffic, protocols, activity patterns, ASN, geo, etc. The behaviour I'm interested in occurs when the host drops from cache due to lack of recent activity -- maybe even after just a few minutes of inactivity. If I search for the host using the search input box on the main web interface, the returned web page correctly states that the host is not in cache and provides a link to force the return of the host information from cache. If I select the link, the host information re-appears (note there is sometimes a grey busy icon along side the ip address for a few seconds -- I assume to indicate that the host info is being retrieved). So far so good. However, the host information is missing the previous data. If I now force the host to generate packets (eg browse a web site from the host), the original host (before the cache miss) data reappears. However, under these circumstances, the "First Seen" time is as of the most recent set of packets -- even though the traffic and the protocol tabs "correctly" contain the full set of information since ntopng was restarted. (Obviously, I'm assuming this information is correct -- at the very least it appears sensible). In addition once this state has occurred the "historical" tab contains incorrect information. The exact state of "incorrectness" is variable, but most often the manifestation is that the "Total Traffic" information is lower than the original total traffic before the cache miss, but often much more than the traffic that has occurred since the recent "First Seen" time. ie it sits somewhere between the two. BTW The above behaviour is repeatable and I've now seen it four times despite reboots and rebuilds. So is the above correct behaviour? I'm assuming it is incorrect; I would have assumed that the search return from cache should have re-instantiated the cache miss data in the first place. If the behaviour is not correct, is there any recommended approach I should take to debug it ? I looked for an option to debug build ntopng but didn't find one. Anyhow, I'm really liking the ntopng so far. It looks great and has already helped me achieve part of my aim of figuring out the cause of some unexplained bandwidth usage at Chez Bartlett. Thx Neil Bartlett
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
