Hi, If all the hosts seen fall in local networks, then you will see identical counters local2remote and remote2local. Indeed, the same amount of traffic is counted as egress (i.e., from a local network) and as ingress (i.e., to a local network).
Can you please verify if flow src and dst are always in local networks. Thanks On Wed, Feb 8, 2017 at 4:29 PM, Jean-Pierre Human <jphu...@gmail.com> wrote: > Hello > > I have ntopng with nProbe setup on a Ubuntu16 box, the full nBox setup > from the packages.ntop.org repo. I am exporting sflow data from a > Fortigate 60D (OS 5.4.3) to nProbe. > > The problem I am having is the Local / Remote traffic is being reported as > the same amount / flow speed. Infact the Ingress and Egress is always > displayed as exactly half of the total throughput at that time. This is > true for the little widget at the bottom next to the rev counter for > ingress and egress and on the home page of a host, when clicked the "Sent > vs Received Traffic Breakdown" is always a perfect 50/50 ratio. > > If I export flow data from a Mikrotik on a different network every thing > reports correctly. > > What is a little unique on this network is that there are a few /26 > subnets of public IP Addresses behind this firewall. There is no natting. I > have set these subnets as local subnets in ntopng as you can tell from my > config below. The firewall on the WAN side has a public address and a few > public subnets on the LAN side. Would this cause issues with remote/local > traffic differentiation? > > I have tried setting V5/V9 etc flow types same issue. I have enabled just > RX or TX from the Fortigate and these when individually enabled display > correctly. > > Any help or pointers would be appreciated. > > My configs: > > root@ntopng:~# cat /etc/ntopng/ntopng.conf > -n=3 > -w=3000 > -W=0 > -g=-1 > -m="41.xx.xx.0/26,196.x.x.x/26" > -F=mysql;localhost;ntopng;flows;ntopuser;secretxxx > -d=/storage/ntopng > -G=/var/run/ntopng.pid > -i=tcp://127.0.0.1:5556 > > > root@ntopng:~# cat /etc/nprobe/nprobe-ens18.conf > -n=none > -i=none > -3=2055 > -s=128 > -t=60 > -d=60 > -a=0 > -e=1 > -B=10 > -w=128000 > -z=0 > -S=1:1 > -E=0:0 > -g=/var/run/nprobe-ens18.pid > --zmq=tcp://127.0.0.1:5556 > -V=5 > --dump-stats=/var/log/nprobe/ens18-0_flows_stats.txt > > The fortigate was configured with the instructions here: > http://kb.fortinet.com/kb/documentLink.do?externalID=FD36460 > > Thanks and Regards > Jean-Pierre Human > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop >
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
