ntopng v.1.2.2 (r8210) I've noticed in situations where a traffic flow is very long - > 12 hours, and it happens to consume most of the available bandwidth, it won't show up in any Historic data unless you can figure out exactly when the flow started and stopped.
EXAMPLE: A fellow employee notices at about 20:00 last night while working that there is a lot of lag between his office workstation and a datacenter server (which we have a private circuit connection to). So I use ntopng (running as a service, using a second NIC as a sniffer in promiscuous mode - connected to a mirror port on a switch). I navigate to the web interface of ntopng where I can see live flows. Nothing out of the ordinary there - but that's because the lag occurred last night; so I open via the Historical interface some saved flows, around the 20:00 time frame. I spread out for a 19:30 - 20:30 window - nothing significant appears in the list of flows. I widen it to 19:00 - 21:00 and still nothing interesting appears. Finally after I load a 16:00 to 04:00 window I can see a replication job is responsible. What I would like to be able to do is open a 5 minute Historical flow dump and see a "snap shot" of that traffic to determine who, in that 5-minute window, was the chief consumer of bandwidth/packets/bytes. But if the flow lasts for 12+ hours, there's no way to reveal that unless you happen to know exactly when the flow started and ended. Any advice would be very much appreciated. Thank you, Neil
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
