Yes. You are confused...
What is stored is the information about a host, not all of the counts, etc.
about a device (network interface).
And it's retrieved ONLY when traffic is seen from that host after the
restart.
So if you go into the host details (e.g. the 192.168.1.1.html page) you
should see prior-run information.
But if you're looking for device throughput to be preserved... nope...
-----Burton
If you want to follow along, here's the code snips (from 2.0 released, but
they're all pretty similar)...
Look in pbuf.c around 238 - you can see when/how it retrieves the stored
information - when it's storing into a slot in the host hash table that was
previously empty, IF there is stored data about that host...
if(!hostFound) {
if(firstEmptySlot != NO_PEER) {
/* New table entry */
int len;
if(usePersistentStorage) {
if((hostIpAddress == NULL) || (isLocalAddress(hostIpAddress)))
el = resurrectHostTrafficInstance(etheraddr_string(ether_addr));
else
el = resurrectHostTrafficInstance(_intoa(*hostIpAddress, buf,
sizeof(buf)));
} else
el = NULL;
...
The store is in hash.c around 935, in void freeHostInfo(int theDevice, u_int
hostIdx, u_short refreshHash):
if(usePersistentStorage != 0) {
if((!broadcastHost(host))
&& ((usePersistentStorage == 1)
|| subnetPseudoLocalHost(host)
/*
Courtesy of
Joel Crisp <[EMAIL PROTECTED]>
*/
))
storeHostTrafficInstance(host);
}
freeHostInfo is called
* from initialize.c @ 377 (resetStats)
* pbuf @ 477, freeing the oldest hash entry to make room
* hash from freeIdleHosts - called itself by the timed loop
and
& freeHostInstances - called from cleanup
Follow me so far? You are thinking of it as a total state save/restore.
It's not...
What it is saving (util.c) is this:
void storeHostTrafficInstance(HostTraffic *el) {
#ifdef HAVE_GDBM_H
datum key_data;
datum data_data;
char *key;
if(broadcastHost(el))
return;
if(el->ethAddressString[0] == '\0')
key = el->hostNumIpAddress;
else
key = el->ethAddressString;
#ifdef STORAGE_DEBUG
traceEvent(TRACE_INFO, "storeHostTrafficInstance(%s)\n", key);
#endif
/*
Before to store the instance all the pointers need
to be deleted (i.e. set to NULL)
*/
resetHostsVariables(el);
key_data.dptr = key;
key_data.dsize = strlen(key_data.dptr);
data_data.dptr = (void*)el;
data_data.dsize = sizeof(HostTraffic);
#ifdef MULTITHREADED
accessMutex(&gdbmMutex, "storeHostTrafficInstance");
#endif
if(gdbm_store(hostsInfoFile, key_data, data_data, GDBM_REPLACE) == 0) {
#ifdef STORAGE_DEBUG
traceEvent(TRACE_INFO, "Stored instance: '%s'\n", key);
#endif
fprintf(stdout, "+"); fflush(stdout);
}
#ifdef MULTITHREADED
releaseMutex(&gdbmMutex);
#endif
#else
;
#endif
}
HostTraffic is in ntop.h - it's the structure that holds all of the
information about a Host:
/* Host Traffic */
typedef struct hostTraffic {
struct in_addr hostIpAddress;
time_t firstSeen;
time_t lastSeen; /* time when this host has sent/received some
data */
time_t nextDBupdate; /* next time when the DB entry
for this host will be updated */
u_char ethAddress[ETHERNET_ADDRESS_LEN];
u_char lastEthAddress[ETHERNET_ADDRESS_LEN]; /* used for remote
addresses */
u_char instanceInUse; /* If so, this instance cannot be purged
*/
char ethAddressString[18];
char hostNumIpAddress[17], *fullDomainName;
char *dotDomainName, hostSymIpAddress[MAX_HOST_SYM_NAME_LEN],
*osName;
u_short minTTL, maxTTL; /* IP TTL (Time-To-Live) */
/* NetBIOS */
char nbNodeType, *nbHostName, *nbAccountName, *nbDomainName,
*nbDescr;
/* AppleTalk*/
u_short atNetwork;
u_char atNode;
char *atNodeName, *atNodeType[MAX_NODE_TYPES];
/* IPX */
char *ipxHostName;
u_short numIpxNodeTypes, ipxNodeType[MAX_NODE_TYPES];
fd_set flags;
TrafficCounter pktSent, pktReceived,
pktDuplicatedAckSent, pktDuplicatedAckRcvd;
TrafficCounter lastPktSent, lastPktReceived;
TrafficCounter pktBroadcastSent, bytesBroadcastSent;
TrafficCounter pktMulticastSent, bytesMulticastSent,
pktMulticastRcvd, bytesMulticastRcvd;
TrafficCounter lastBytesSent, lastHourBytesSent,
bytesSent, bytesSentLocally, bytesSentRemotely;
TrafficCounter lastBytesReceived, lastHourBytesReceived, bytesReceived,
bytesReceivedLocally, bytesReceivedFromRemote;
float actualRcvdThpt, lastHourRcvdThpt, averageRcvdThpt,
peakRcvdThpt,
actualSentThpt, lastHourSentThpt, averageSentThpt,
peakSentThpt;
float actualRcvdPktThpt, averageRcvdPktThpt, peakRcvdPktThpt,
actualSentPktThpt, averageSentPktThpt, peakSentPktThpt;
unsigned short actBandwidthUsage;
TrafficCounter lastCounterBytesSent, last24HoursBytesSent[25],
lastDayBytesSent,
lastCounterBytesRcvd, last24HoursBytesRcvd[25],
lastDayBytesRcvd;
/* Routing */
RoutingCounter *routedTraffic;
/* IP */
PortUsage **portsUsage; /* 0...TOP_ASSIGNED_IP_PORTS */
TrafficCounter ipBytesSent, ipBytesReceived;
TrafficCounter tcpSentLocally, tcpSentRemotely, udpSentLocally,
udpSentRemotely, icmpSent, ospfSent, igmpSent;
TrafficCounter tcpReceivedLocally, tcpReceivedFromRemote,
udpReceivedLocally,
udpReceivedFromRemote, icmpReceived, ospfReceived,
igmpReceived;
TrafficCounter tcpFragmentsSent, tcpFragmentsReceived,
udpFragmentsSent, udpFragmentsReceived,
icmpFragmentsSent, icmpFragmentsReceived;
/* Interesting Packets */
SecurityHostProbes *securityHostPkts;
/* non IP */
IcmpHostInfo *icmpInfo;
TrafficCounter stpSent, stpReceived; /* Spanning Tree */
TrafficCounter ipxSent, ipxReceived;
TrafficCounter osiSent, osiReceived;
TrafficCounter dlcSent, dlcReceived;
TrafficCounter arp_rarpSent, arp_rarpReceived;
TrafficCounter arpReqPktsSent, arpReplyPktsSent, arpReplyPktsRcvd;
TrafficCounter decnetSent, decnetReceived;
TrafficCounter appletalkSent, appletalkReceived;
TrafficCounter netbiosSent, netbiosReceived;
TrafficCounter qnxSent, qnxReceived;
TrafficCounter otherSent, otherReceived;
ProtoTrafficInfo *protoIPTrafficInfos; /* info about IP traffic
generated/received by this host */
IpGlobalSession *tcpSessionList,
*udpSessionList; /* list of sessions initiated/received
by this host */
UsageCounter contactedSentPeers; /* peers that talked with this host
*/
UsageCounter contactedRcvdPeers; /* peers that talked with this host
*/
UsageCounter contactedRouters; /* routers contacted by this host */
ServiceStats *dnsStats, *httpStats;
#ifdef ENABLE_NAPSTER
NapsterStats *napsterStats;
#endif
DHCPStats *dhcpStats;
/* *************** IMPORTANT ***************
If you add a pointer to this struct please
go to resurrectHostTrafficInstance() and
add a NULL to each pointer you added in the
newly resurrected.
*************** IMPORTANT *************** */
} HostTraffic;
Here is the purge (it's basically all the pointers, so that we're storing a
single fixed length record):
void resetHostsVariables(HostTraffic* el) {
FD_ZERO(&(el->flags));
resetUsageCounter(&el->contactedSentPeers);
resetUsageCounter(&el->contactedRcvdPeers);
resetUsageCounter(&el->contactedRouters);
el->fullDomainName = NULL;
el->dotDomainName = NULL;
el->hostSymIpAddress[0] = '\0';
el->osName = NULL;
el->nbHostName = NULL;
el->nbDomainName = NULL;
el->nbDescr = NULL; /* Fix courtesy of Francis Pintos
<[EMAIL PROTECTED]> */
el->atNodeName = NULL;
memset(el->atNodeType, 0, sizeof(el->atNodeType));
el->routedTraffic = NULL;
el->ipxHostName = NULL;
el->numIpxNodeTypes = 0;
el->portsUsage = NULL;
el->protoIPTrafficInfos = NULL;
el->tcpSessionList = NULL;
el->udpSessionList = NULL;
el->nextDBupdate = 0;
el->icmpInfo = NULL;
el->dnsStats = NULL;
el->httpStats = NULL;
#ifdef ENABLE_NAPSTER
el->napsterStats = NULL;
#endif
el->dhcpStats = NULL;
resetUsageCounter(&el->contactedSentPeers);
resetUsageCounter(&el->contactedRcvdPeers);
resetUsageCounter(&el->contactedRouters);
el->securityHostPkts = NULL;
}
But, notice, what's not being stored is the DEVICE information, that's
NtopInterface:
typedef struct ntopInterface {
char *name; /* unique interface name */
int flags; /* the status of the interface as viewed by
ntop */
u_int32_t addr; /* Internet address (four bytes notation)
*/
char *ipdot; /* IP address (dot notation) */
char *fqdn; /* FQDN (resolved for humans) */
struct in_addr network; /* network number associated to this
interface */
struct in_addr netmask; /* netmask associated to this interface */
u_int numHosts; /* # hosts of the subnet */
struct in_addr ifAddr; /* network number associated to this
interface */
/* local domainname */
time_t started; /* time the interface was enabled to look
at pkts */
time_t firstpkt; /* time first packet was captured */
time_t lastpkt; /* time last packet was captured */
pcap_t *pcapPtr; /* LBNL pcap handler */
pcap_dumper_t *pcapDumper; /* LBNL pcap dumper - enabled using the
'l' flag */
pcap_dumper_t *pcapErrDumper; /* LBNL pcap dumper - all suspicious
packets are logged */
char virtualDevice; /* set to 1 for virtual devices (e.g.
eth0:1) */
int snaplen; /* maximum # of bytes to capture foreach
pkt */
/* read timeout in milliseconds */
int datalink; /* data-link encapsulation type (see DLT_*
in net/bph.h) */
char *filter; /* user defined filter expression (if any)
*/
int fd; /* unique identifier (Unix file descriptor)
*/
FILE *fdv; /* verbosity file descriptor */
int hashing; /* hashing while sniffing */
int ethv; /* print ethernet header */
int ipv; /* print IP header */
int tcpv; /* print TCP header */
/*
* The packets section
*/
TrafficCounter droppedPkts; /* # of pkts dropped by the application */
TrafficCounter ethernetPkts; /* # of Ethernet pkts captured by the
application */
TrafficCounter broadcastPkts; /* # of broadcast pkts captured by the
application */
TrafficCounter multicastPkts; /* # of multicast pkts captured by the
application */
/*
* The bytes section
*/
TrafficCounter ethernetBytes; /* # bytes captured */
TrafficCounter ipBytes;
TrafficCounter fragmentedIpBytes;
TrafficCounter tcpBytes;
TrafficCounter udpBytes;
TrafficCounter otherIpBytes;
TrafficCounter icmpBytes;
TrafficCounter dlcBytes;
TrafficCounter ipxBytes;
TrafficCounter stpBytes; /* Spanning Tree */
TrafficCounter decnetBytes;
TrafficCounter netbiosBytes;
TrafficCounter arpRarpBytes;
TrafficCounter atalkBytes;
TrafficCounter ospfBytes;
TrafficCounter egpBytes;
TrafficCounter igmpBytes;
TrafficCounter osiBytes;
TrafficCounter qnxBytes;
TrafficCounter otherBytes;
TrafficCounter lastMinEthernetBytes;
TrafficCounter lastFiveMinsEthernetBytes;
TrafficCounter lastMinEthernetPkts;
TrafficCounter lastFiveMinsEthernetPkts;
TrafficCounter lastNumEthernetPkts;
TrafficCounter lastEthernetPkts;
TrafficCounter lastTotalPkts;
TrafficCounter lastBroadcastPkts;
TrafficCounter lastMulticastPkts;
TrafficCounter lastEthernetBytes;
TrafficCounter lastIpBytes;
TrafficCounter lastNonIpBytes;
PacketStats rcvdPktStats; /* statistics from start of the run to time of
call */
float peakThroughput, actualThpt, lastMinThpt, lastFiveMinsThpt;
float peakPacketThroughput, actualPktsThpt, lastMinPktsThpt,
lastFiveMinsPktsThpt;
time_t lastThptUpdate, lastMinThptUpdate;
time_t lastHourThptUpdate, lastFiveMinsThptUpdate;
TrafficCounter throughput;
float packetThroughput;
unsigned long numThptSamples;
ThptEntry last60MinutesThpt[60], last24HoursThpt[24];
float last30daysThpt[30];
u_short last60MinutesThptIdx, last24HoursThptIdx, last30daysThptIdx;
SimpleProtoTrafficInfo tcpGlobalTrafficStats, udpGlobalTrafficStats,
icmpGlobalTrafficStats;
SimpleProtoTrafficInfo *ipProtoStats;
TrafficCounter numEstablishedTCPConnections; /* = # really established
connections */
#ifdef MULTITHREADED
pthread_t pcapDispatchThreadId;
#endif
u_int hostsno; /* # of valid entries in the following table */
u_int actualHashSize, hashThreshold, topHashThreshold;
struct hostTraffic **hash_hostTraffic;
/* ************************** */
IpFragment *fragmentList;
struct ipSession **tcpSession;
u_short numTotSessions, numTcpSessions;
TrafficEntry** ipTrafficMatrix; /* Subnet traffic Matrix */
struct hostTraffic** ipTrafficMatrixHosts; /* Subnet traffic Matrix Hosts
*/
fd_set ipTrafficMatrixPromiscHosts;
} NtopInterface;
A device has information about many hosts, but the information stored and
recorded is only about the host, not the device...
Sorry!
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Igor
Schein
Sent: Wednesday, February 20, 2002 4:05 PM
To: [EMAIL PROTECTED]
Subject: Re: [Ntop] a couple of questions
<snip>
Another thing I can't understand is that even with using -S 2 flag, the data
collection starts from zero when I restart ntop. It doesn't preserve the
old data. Am I misunderstanding something?
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop
