Daniel, only local hosts are stored in cache for later restore. This to avoid caching too much stuff. Might this explain the behaviour you are observing?
Regards Luca On 01/08/2014 10:47 AM, Daniel Gomez wrote: > Hi Neil, > > I am seeing a similar behaviour. A host that appeared on the list of > hosts and from which I could retrieve information (total traffic, > protocols, activity patterns, ASN, geo, etc.) is after "some" > inactivity not anymore accessible. > > Most probably as you said the host drops from cache due to lack of > recent activity. > > Unfortunately I cannot find any like to retrieve the information from > cache, it just appears a: > > Host xx.xx.xx.xx cannot be found.Perhaps this host has been previously > purged from memory or it has never been observed by this ntopng instance. > > I am also interested on a way to debug this "feature". > > Regards, > > Daniel > > > On 8 January 2014 04:03, Neil Bartlett <[email protected] > <mailto:[email protected]>> wrote: > > Hi Guys > > I have some unexpected behaviour from my ntopng installation. I've > very recently started using ntopng, so I'm not sure if what I'm > observing is correct or an issue. > > I'm running an instance ntopng that I built from r7148 on > Raspberry Pi. I've configured ntopng to listen to an > interface (interface 3, eth1) that is a port mirror of my WAN > connection via a Netgear GS108E switch. The connection is lightly > loaded at approx 100MB over 30 mins. > > Is the following behaviour working correctly ... ? > > Packet data is accumulated. Looking at a particular host via the > web interface, all looks good. I can see sensible total traffic, > protocols, activity patterns, ASN, geo, etc. The behaviour I'm > interested in occurs when the host drops from cache due to lack of > recent activity -- maybe even after just a few minutes of inactivity. > > If I search for the host using the search input box on the main > web interface, the returned web page correctly states that the > host is not in cache and provides a link to force the return of > the host information from cache. If I select the link, the host > information re-appears (note there is sometimes a grey busy icon > along side the ip address for a few seconds -- I assume to > indicate that the host info is being retrieved). So far so good. > > However, the host information is missing the previous data. > > If I now force the host to generate packets (eg browse a web site > from the host), the original host (before the cache miss) data > reappears. However, under these circumstances, the "First Seen" > time is as of the most recent set of packets -- even though the > traffic and the protocol tabs "correctly" contain the full set of > information since ntopng was restarted. (Obviously, I'm assuming > this information is correct -- at the very least it appears sensible). > > In addition once this state has occurred the "historical" tab > contains incorrect information. The exact state of "incorrectness" > is variable, but most often the manifestation is that the "Total > Traffic" information is lower than the original total traffic > before the cache miss, but often much more than the traffic that > has occurred since the recent "First Seen" time. ie it sits > somewhere between the two. > > BTW The above behaviour is repeatable and I've now seen it four > times despite reboots and rebuilds. > > So is the above correct behaviour? I'm assuming it is incorrect; I > would have assumed that the search return from cache should have > re-instantiated the cache miss data in the first place. If the > behaviour is not correct, is there any recommended approach I > should take to debug it ? I looked for an option to debug build > ntopng but didn't find one. > > Anyhow, I'm really liking the ntopng so far. It looks great and > has already helped me achieve part of my aim of figuring out the > cause of some unexplained bandwidth usage at Chez Bartlett. > > Thx > Neil Bartlett > > _______________________________________________ > Ntop mailing list > [email protected] <mailto:[email protected]> > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > -- > /*The Flow is a mystery to many, and it may only be visible when it is > not presen*/t. > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
