I'm not sure if this list accepts attachments, but I have attached screen shots of this problem.
Steps to reproduce: 1. Start ntopng as normal - using eth1 (sniffing NIC in promiscuous mode), with the 'dump flows' option enabled, etc. 2. From a server, download a large file ~2 GB from the internet which takes about 8 minutes to complete. 3. From the ntopng web interface, view live flows and verify your server is now listed as a chief bandwidth consumer - downloading the 2 GB file. Take screenshot. 3a. This shows that the internet site (the internet source from where I'm downloading the large 2 GB file) is generating the most packets/bandwidth/bytes. This is correct. 4. Wait for the server download to complete, about 8 minutes later. 5. About 25 minutes later, use the "Historical" interface to load enough data to span the entire download period of the server in step #2 above. 6. View the Historical flows, and verify the server downloading the 2 GB file in the list of flows. 6a. This time, it shows that my server (the internal host to which the large 2 GB file is being downloaded) is generating the most packets/bandwidth/bytes. This is false. Part of network diagnostics is determining "who" is consuming the most bandwidth, i.e. which direction the flow is moving. As I read the Historical flow, I would think major chunk of bytes are moving from my internal server to the internet site. But in reality, as is shown in the live flow, the major chunk of bytes are moving from the internet site to my internal server. Is there a way to correct / clarify this? Thanks On Tue, Sep 16, 2014 at 2:51 PM, Luca Deri <[email protected]> wrote: > Neil, > this needs to be solved. Can you please provide a detailed example? > > Thanks Luca > > On 30 Aug 2014, at 00:09, Neil Page <[email protected]> wrote: > > > I'm running ntopng v. 1.2.1 (r8157) - fantastic product by the way! > Loads of useful information, and invaluable for diagnosing network issues. > > > > I'm noticing something odd however. I have historic flows turned on, > (i.e. --dump-flows) and as I view the hosts according to throughput or > total bytes, I see the traffic direction is often listed incorrectly. I've > ran numerous tests to determine how consistent this is. When an internal > hosts downloads a ~2GB file from an external internet server, the flow is > recorded as the internal host "sending" rather than "receiving". Every way > you could read this flow shows the same thing: that the internal host is > "sending" 2GB of data. > > > > I'm just curious why the flow would be presented that way. In cases of > diagnostics, this could be very misleading. > > > > Thanks in advance for your help, > > NeilPage > > _______________________________________________ > > Ntop mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
