I've got FreeBSD 5.4 on P4/2.8 with a gig of ram and SuSe 9.2 on a quad Xeon 500 also with a gig of ram. I'm running the ntop that comes with SuSe 9.2 ( ntop-3.0.053-3) and I pulled the latest ports for FreeBSD and built ntop 3.1.
I've got netflow version 5 exports coming from a pair of Cisco 3660s. One has a DS3 to Sprint, the other has a 100 mbit fiber connection to another regional provider a few blocks from here. It is 0300 as I write this and I'm seeing about 4 mbits on the DS3 and about 1.5 mbits on the fiber link. The provider has 29 /24s worth of space and we rapidly exhaust the static 4096 slot address resolution queue.
The SuSe box lasts for all of three minutes accepting flows before ntop dies. The BSD box will run for quite a bit longer, but it too dies with an unresponsive web server and a still running ntop. I've copied /var/db/ntop into three separate directories under /var/db, created one instance of ntop for the onboard NIC and each of the netflow exports. Running with the split configuration yields stable monitoring of the local NIC and the fiber link but the DS3 link monitor still dies, but it takes much longer - perhaps thirty minutes. It should be noted that even with the -P <other directory> option all of the rrd stuff goes in /var/db/ntop/rrd - I don't know enough about rrd to tell if this is OK, but it seems like a bug to me.
Am I chasing my tail by trying to get ntop to behave with this much traffic volume, or are there some tuning things I'm missing here? I wouldn't want to undertake debugging any C code but I'd be happy to work with a developer if they wanted access to the system to see these things as they occur.
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
