I'm smacking myself, but I still don't get it. Let me ask a slighty different question then. What traffic causes the "Data Rcvd" column to increment? Your example below seems to only address the "Data Sent" column.
I'm sorry for being so stupid, but if you could do your example with both the data received and data sent columns I think that I'd finally get it. Thanks for all of your help, Jim -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 1:18 PM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Yeah, it's so simple that you're going to smack yourself... Think about what SEND and RECEIVED means. Think about what ntop sees... ntop sees what's on the wire and classifies it based on the interface IPs and the -m parameter. It would only be symetric if it was L-L traffic. 192.168.1.1 -> www.yahoo.com: HTTP GET xxxxx..... 30 bytes L->R www.yahoo.com -> 192.168.1.1: 200 OK 10 bytes R->L www.yahoo.com -> 192.168.1.1: <html> .... </html> 2000 bytes R->L etc. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Saturday, October 12, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. To use your example, why doesn't the 30 byte request show up as data sent traffic on the L->R page and also as data received on the R->L page. For the couple meg reply why doesn't that show up as data sent traffic on the R->L page and also as data received on the L->R page? In my mind all data sent on the L->R page would also be seen as data received on the R->L page. Also all data sent on the R->L page would also be seen as data received on the L->R page. Basically I don't understand how a local host can have data sent to a remote host that isn't also data received by the remote host and vice-versa. I'm sure it's something simple that I'm not understanding, but I still don't get it. -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 8:33 AM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Um... why the HECK should it? You send "HTTP GET abc.html", so that's what, 30 bytes L->R You get back a couple of Meg of web page and images, R->L -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Thursday, October 10, 2002 2:19 PM To: [EMAIL PROTECTED] Subject: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. On my "IP Traffic" page at the bottom it lists your total traffic. Why don't the "remote to local" and "local to remote" totals equal each other? Wouldn't all traffic sent from a remote host to a local host show up on the R->L page as data sent from the remote host and on the L->R page as data received by a local host? If so shouldn't the two "total traffic" numbers on the R->L and L->R pages equal each other? I'm running ntop v.2.1.51 on RedHat 8. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
