As I said in my reply, no. ntop will purge inactive hosts, but the hash
never shrinks. If there really are that many hosts referenced, well, then
you need that much data. You could TRY to recompile with a smaller timeout
and/or growth #s (see the constants in ntop.h:
#define IDLE_HOST_PURGE_TIMEOUT 10*60 /* 30 minutes */
and
/* Hash table sizing gets confusing... see the code in hash.c for the
actual details, but here is what's what as of May2002...
The table is created of size HASH_INITIAL_SIZE...
When first extended, it grows to HASH_MINIMUM_SIZE
Between HASH_MINIMUM_SIZE and HASH_FACTOR_MAXIMUM,
it grows by a multiplier, HASH_INCREASE_FACTOR
After growing to HASH_FACTOR_MAXIMUM it begins to grow by
HASH_TERMINAL_INCREASE
So, the pattern is:
32, 512, 1024, 2048, 4069, 8192, 12288 ...
*/
#define HASH_INITIAL_SIZE 32
#define HASH_MINIMUM_SIZE 512 /* Minimum after 1st entend */
#define HASH_FACTOR_MAXIMUM 4096 /* After it gets this big */
#define HASH_TERMINAL_INCREASE 4096 /* grow by */
#define HASH_INCREASE_FACTOR 2 /* Between MINIMUM and TERMINAL,
grow by... */
I also pointed out that if your internal users are running port scans to
outside systems, you will have a huge number of unique hosts.
If you can figure out how they are doing the scans, you MIGHT be able to use
a bpf filter -B "xxxx" to not look at those packets, e.g. -B"!(icmp[0]=8 or
icmp[0]=0)" (I *think* that works to kill ICMP echo/request)
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rob
Trout
Sent: Wednesday, October 02, 2002 9:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Large hash
I am running it on a border gateway, it's a mirrored external port....
I used the flag to not trust MACs, is there anything else I can do to
limit the hash size?
Robert Trout
T-Speed
[EMAIL PROTECTED]
(office) 214.237.3388
www.t-speed.com
-----Original Message-----
From: Luca Deri [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 02, 2002 7:02 AM
To: [EMAIL PROTECTED]
Subject: Re: [Ntop] Large hash
Rob,
a large hash is normal for a large nw. If this is not your case there's
something wrong.
Where are you running ntop? On a border gw? Make sure you use the proper
options.
Regards, Luca
Rob Trout wrote:
>After running for a few days, I get:
>
>Sep 30 22:45:43 stats ntop[1682]: Extending hash size
>[newSize=65536][deviceId=0]
>
>Which seems like a pretty large hash compared to others I have seen on
>the list. We're running ntop 2.1.51 on Mandrake 8.2. It's a p3-900 w/
>256mb ram. This host is only used for ntop. I'm starting with the
>command line of:
>
>/usr/local/bin/ntop -P /server/ntop-current/ntop/database -p
>/server/ntop-current/ntop/utils/protocol.list -d -u ntop -o -m
>x.x.x.x/x
>
>Is there a way to limit the hash-size, and if so what would be the
>trade-off of doing so? This is monitoring an internet connection that
>averages about 4 mb, but can peak at 9-10mb
>
>
>Thanks in advance.
>
>
>_______________________________________________
>Ntop mailing list
>[EMAIL PROTECTED]
>http://lists.ntop.org/mailman/listinfo/ntop
>
>
--
Luca Deri <[EMAIL PROTECTED]> http://luca.ntop.org/
Hacker: someone who loves to program and enjoys being
clever about it - Richard Stallman
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop
