NtopNG v. 1.2.2 (r8210) I'm seeing a huge inconsistency between what is displayed in a live flow compared to what is displayed in a 5-minute historical flow on the same interface during the same time frame.
This is all done using a second NIC, in promiscuous mode, sniffing traffic on a mirrored port on a switch. I've been experimenting with this a lot lately, and it's 100% reproducible. I set my ntopng collector interface to eth1 (the sniffing interface). Ntopng runs fine - and the live flows are very accurate. I use a test host to download a very large 2.5 GB file from the internet. The live flow shows this download very accurately. The download starts at 09:30 and takes just over 5 minutes to complete. I wait until around 09:45 then I change the ntopng interface to "Historical". I then load the data between 09:30 and 09:35. I then examine the flows; there is _NOTHING_ there regarding that huge 2.5 GB download. The host never shows up, the download itself is never listed. Nothing. Can you help me understand why this might happen? I need the historical dumps to be accurate for diagnostic purposes. Thanks in advance, Neil
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
