Neil, As you can read in the ntopng user guide, ntopng save the expired flows every five minute in a SQLite db.
Probably in your case, if the downloading process during more than 5 minute, you have to set the time interval from 9:30 to 9:40. Please can you try and let me know? Regards Filippo On Tuesday, September 16, 2014, Neil Page <[email protected]> wrote: > NtopNG v. 1.2.2 (r8210) > I'm seeing a huge inconsistency between what is displayed in a live flow > compared to what is displayed in a 5-minute historical flow on the same > interface during the same time frame. > > This is all done using a second NIC, in promiscuous mode, sniffing traffic > on a mirrored port on a switch. > > I've been experimenting with this a lot lately, and it's 100% > reproducible. I set my ntopng collector interface to eth1 (the sniffing > interface). Ntopng runs fine - and the live flows are very accurate. I use > a test host to download a very large 2.5 GB file from the internet. The > live flow shows this download very accurately. The download starts at 09:30 > and takes just over 5 minutes to complete. I wait until around 09:45 then I > change the ntopng interface to "Historical". I then load the data between > 09:30 and 09:35. I then examine the flows; there is _NOTHING_ there > regarding that huge 2.5 GB download. The host never shows up, the download > itself is never listed. Nothing. > > Can you help me understand why this might happen? I need the historical > dumps to be accurate for diagnostic purposes. > > Thanks in advance, > Neil > -- Filippo Sent from my iPhone, sorry for typos.
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
