Your assumption that "L->R sent traffic is also R->L received" is wrong. That's NOT what I'm saying...
What happens when hosts become idle and their counts drop off the detailed pages, but remain in the ntop-wide totals? The R host is much more likely to become idle than the L host (say you're surfing the NY Times then move to the Times (London) -- two hosts R, one host L). What about retries... Multicasting... Asymmetric routing... etc. Only in the simplest case, such as what I've illustrated will they be equal. -----Burton -----Original Message----- From: Jim Johnson [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 13, 2002 12:41 PM To: [EMAIL PROTECTED] Cc: Burton M. Strauss III Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Your example below and attached web pages show exactly how I think it should work. If you look at the "Total Traffic" count in both your attached "Local to Remote IP Traffic.htm" and "Remote to Local IP Traffic.htm" you'll see that it's identical on both pages (9.3 MB). This makes sense to me as all L->R sent traffic is also R->L received traffic and vice versa. On my ntop box these two "Total Traffic" counts are very different (by a factor of about 50). If you could explain or give an example where these two "Total Traffic" counts can be different I'd be forever in your debt! Thanks for your patience, Jim PS. "Local to Remote IP Traffic.htm" and "Remote to Local IP Traffic.htm" are the only web pages I've ever meant to refer to in my posts. -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 13, 2002 8:01 AM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Yes, you are being dense... It's all based on what ntop SEES in the packets. Repeat: ntop sees packets and ONLY packets. Packets have a FROM and a TO address. Which packets ntop sees is determined by the interfaces it is monitoring. Traffic is classified based on the joint classification of the FROM address (L or R) and the TO address (L or R). Only in L->L traffic will ntop see sent=rcvd. Host: 192.168.1.x www.yahoo.com L->R R->L L->R R->L S R S R S R S R 192.168.1.x>www.yahoo.com HTTP GET ... 30 . . . . . . 30 www.yahoo.com>192.168.1.x HTTP 200 . . . 8 8 . . . www.yahoo.com>192.168.1.x . . .200 200 . . . <html>...</html> etc. It does show up on the L->R and R->L pages (see the attached). What ntop doesn't do is to double count the data in it's totals. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Saturday, October 12, 2002 10:56 PM To: [EMAIL PROTECTED] Cc: Burton M. Strauss III Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. I'm smacking myself, but I still don't get it. Let me ask a slighty different question then. What traffic causes the "Data Rcvd" column to increment? Your example below seems to only address the "Data Sent" column. I'm sorry for being so stupid, but if you could do your example with both the data received and data sent columns I think that I'd finally get it. Thanks for all of your help, Jim -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 1:18 PM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Yeah, it's so simple that you're going to smack yourself... Think about what SEND and RECEIVED means. Think about what ntop sees... ntop sees what's on the wire and classifies it based on the interface IPs and the -m parameter. It would only be symetric if it was L-L traffic. 192.168.1.1 -> www.yahoo.com: HTTP GET xxxxx..... 30 bytes L->R www.yahoo.com -> 192.168.1.1: 200 OK 10 bytes R->L www.yahoo.com -> 192.168.1.1: <html> .... </html> 2000 bytes R->L etc. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Saturday, October 12, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. To use your example, why doesn't the 30 byte request show up as data sent traffic on the L->R page and also as data received on the R->L page. For the couple meg reply why doesn't that show up as data sent traffic on the R->L page and also as data received on the L->R page? In my mind all data sent on the L->R page would also be seen as data received on the R->L page. Also all data sent on the R->L page would also be seen as data received on the L->R page. Basically I don't understand how a local host can have data sent to a remote host that isn't also data received by the remote host and vice-versa. I'm sure it's something simple that I'm not understanding, but I still don't get it. -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 8:33 AM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Um... why the HECK should it? You send "HTTP GET abc.html", so that's what, 30 bytes L->R You get back a couple of Meg of web page and images, R->L -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Thursday, October 10, 2002 2:19 PM To: [EMAIL PROTECTED] Subject: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. On my "IP Traffic" page at the bottom it lists your total traffic. Why don't the "remote to local" and "local to remote" totals equal each other? Wouldn't all traffic sent from a remote host to a local host show up on the R->L page as data sent from the remote host and on the L->R page as data received by a local host? If so shouldn't the two "total traffic" numbers on the R->L and L->R pages equal each other? I'm running ntop v.2.1.51 on RedHat 8. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
