"For the case that may apply to me and be causing my results "What happens when hosts become idle and their counts drop off the detailed pages, but remain in the ntop-wide totals?". If by this you mean that once a remote host drops of the R->L page its traffic is removed from the R->L totals then this could explain what I'm seeing."
Yes... look in report.c ... the total at the bottom is a sum of the lines. Where do you get the 24h assumption? Idle hosts are dropped every 5 minutes, ntop.h: 2111 #define PURGE_HOSTS_DELAY 300 /* 5 mins */ It's also dependent on persistent data, if you revive local lan hosts, there's a lot of traffic there and if they don't recontact the same remote hosts (thus reviving them), then the other "side" isn't counted. -----Burton -----Original Message----- From: Jim Johnson [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 13, 2002 11:25 PM To: [EMAIL PROTECTED] Cc: Burton M. Strauss III Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. In my set up I still think that they would be equal. I start ntop with the "o" option so that it tracks all data by IP address. My network looks like this: LAN<->ROUTER<->HUB<->ROUTER<->INTERNET My ntop box is plugged into the hub between my LAN and the Internet, so it see all Internet traffic. Below I comment on your examples with respect to my setup: Retries: I would expect ntop to increment both the data sent and received columns like normal. Even if the receiving host doesn't receive the traffic ntop doesn't know that. In this case I would expect "L->R sent traffic to equal R->L received". Multicasts: This could skew the results depending how ntop chose to count it (if it uses the same simple IP tracking mechanism I envision in my head the results would still be the same). I don't believe that I have any multicast traffic traversing this link, so this shouldn't apply to me (ntop doesn't show any multicast traffic either). Asymmetric routing: This is my only connection the to Internet so it doesn't apply to my situation. If it did apply to me, I don't see how it would skew the results. Ntop wouldn't see all the traffic, but I would expect all the traffic it did see to be equally counted on the L->R and R->L pages. In this case I would expect "L->R sent traffic to equal R->L received". For the case that may apply to me and be causing my results "What happens when hosts become idle and their counts drop off the detailed pages, but remain in the ntop-wide totals?". If by this you mean that once a remote host drops of the R->L page its traffic is removed from the R->L totals then this could explain what I'm seeing. A remote host is much more likely to be idle (not contacted) for 24 hours (at least I think that is the cut off period), and therefore dropped from the R->L page. Since my internal hosts will probably never drop (i.e. never be idle for 24 hours) my L->R page total never shrinks, whereas the R->L total shrinks ever time a remote host is idle for 24 hours. Keep this up for about a week and I get a L->R page total about 50 times bigger than my R->L total. Unfortunately when I tested this theory it fell short of explaining my results. After just 30 minutes my L->R traffic total was already about 17% greater than my R->L total. So although dropping idle hosts may contribute to what I'm seeing, it's definitely not the major cause of it. I appreciate all the time you've (Burton) spent working with me on this. I still don't think that your examples disprove my assumption that "all L->R sent traffic is also R->L received traffic", but I appreciate your effort to lift the fog from my mind on this! :) Thanks, Jim -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 13, 2002 1:50 PM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Your assumption that "L->R sent traffic is also R->L received" is wrong. That's NOT what I'm saying... What happens when hosts become idle and their counts drop off the detailed pages, but remain in the ntop-wide totals? The R host is much more likely to become idle than the L host (say you're surfing the NY Times then move to the Times (London) -- two hosts R, one host L). What about retries... Multicasting... Asymmetric routing... etc. Only in the simplest case, such as what I've illustrated will they be equal. -----Burton -----Original Message----- From: Jim Johnson [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 13, 2002 12:41 PM To: [EMAIL PROTECTED] Cc: Burton M. Strauss III Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Your example below and attached web pages show exactly how I think it should work. If you look at the "Total Traffic" count in both your attached "Local to Remote IP Traffic.htm" and "Remote to Local IP Traffic.htm" you'll see that it's identical on both pages (9.3 MB). This makes sense to me as all L->R sent traffic is also R->L received traffic and vice versa. On my ntop box these two "Total Traffic" counts are very different (by a factor of about 50). If you could explain or give an example where these two "Total Traffic" counts can be different I'd be forever in your debt! Thanks for your patience, Jim PS. "Local to Remote IP Traffic.htm" and "Remote to Local IP Traffic.htm" are the only web pages I've ever meant to refer to in my posts. -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 13, 2002 8:01 AM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Yes, you are being dense... It's all based on what ntop SEES in the packets. Repeat: ntop sees packets and ONLY packets. Packets have a FROM and a TO address. Which packets ntop sees is determined by the interfaces it is monitoring. Traffic is classified based on the joint classification of the FROM address (L or R) and the TO address (L or R). Only in L->L traffic will ntop see sent=rcvd. Host: 192.168.1.x www.yahoo.com L->R R->L L->R R->L S R S R S R S R 192.168.1.x>www.yahoo.com HTTP GET ... 30 . . . . . . 30 www.yahoo.com>192.168.1.x HTTP 200 . . . 8 8 . . . www.yahoo.com>192.168.1.x . . .200 200 . . . <html>...</html> etc. It does show up on the L->R and R->L pages (see the attached). What ntop doesn't do is to double count the data in it's totals. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Saturday, October 12, 2002 10:56 PM To: [EMAIL PROTECTED] Cc: Burton M. Strauss III Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. I'm smacking myself, but I still don't get it. Let me ask a slighty different question then. What traffic causes the "Data Rcvd" column to increment? Your example below seems to only address the "Data Sent" column. I'm sorry for being so stupid, but if you could do your example with both the data received and data sent columns I think that I'd finally get it. Thanks for all of your help, Jim -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 1:18 PM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Yeah, it's so simple that you're going to smack yourself... Think about what SEND and RECEIVED means. Think about what ntop sees... ntop sees what's on the wire and classifies it based on the interface IPs and the -m parameter. It would only be symetric if it was L-L traffic. 192.168.1.1 -> www.yahoo.com: HTTP GET xxxxx..... 30 bytes L->R www.yahoo.com -> 192.168.1.1: 200 OK 10 bytes R->L www.yahoo.com -> 192.168.1.1: <html> .... </html> 2000 bytes R->L etc. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Saturday, October 12, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. To use your example, why doesn't the 30 byte request show up as data sent traffic on the L->R page and also as data received on the R->L page. For the couple meg reply why doesn't that show up as data sent traffic on the R->L page and also as data received on the L->R page? In my mind all data sent on the L->R page would also be seen as data received on the R->L page. Also all data sent on the R->L page would also be seen as data received on the L->R page. Basically I don't understand how a local host can have data sent to a remote host that isn't also data received by the remote host and vice-versa. I'm sure it's something simple that I'm not understanding, but I still don't get it. -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Saturday, October 12, 2002 8:33 AM To: [EMAIL PROTECTED] Cc: Jim Johnson Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. Um... why the HECK should it? You send "HTTP GET abc.html", so that's what, 30 bytes L->R You get back a couple of Meg of web page and images, R->L -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Johnson Sent: Thursday, October 10, 2002 2:19 PM To: [EMAIL PROTECTED] Subject: [Ntop] IP Traffic "remote to local" and "local to remote" totals don't equal. On my "IP Traffic" page at the bottom it lists your total traffic. Why don't the "remote to local" and "local to remote" totals equal each other? Wouldn't all traffic sent from a remote host to a local host show up on the R->L page as data sent from the remote host and on the L->R page as data received by a local host? If so shouldn't the two "total traffic" numbers on the R->L and L->R pages equal each other? I'm running ntop v.2.1.51 on RedHat 8. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
