RE: [Ntop] missing flow data

Fri, 09 Sep 2005 05:00:19 -0700

First, try checking the stats in the netFlow plugin to see why flows are being dropped.  It's most likely port 0 flows (non tcp/ip) stuff...
 
-----Burton

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goor, M. van, (ITBE)
Sent: Friday, September 09, 2005 4:02 AM
To: [email protected]
Subject: [Ntop] missing flow data

Hello,

 

I have a cisco 6509 which is configures to do netflow. This stream gets to a machine where flow-tools captures it. This has been checked and at this point the flow is complete. Then I use flow-tools to export it (via flow-fanout) to my ntop box. (yes, after the testing is done, the box capturing will get installed with nProbe, this cannot be done now, because both mirror ports on the switch are used).

 

So far so good, on the ntop machine (which is a dual P4 xeon HTT, linux sees 4 procs and 5GB ram installed) I tested with flow-tools to check if the stream got over correct. This happened. The capture on the capture machine was identicall to the capture on the ntop machine. After this I had high hopes for ntop, thus I installed cvs. Cranked it up and set the netflow module to capture the stream. So far everything works great, but ntop misses about 40% of the stream. Now since flow-tools got the stream okay and was able to dump it to the hard drive without using any cpu time or a big deal of memory, I thought ntop should be working great aswell.

 

Obviously I was wrong. The cpu isn’t spiking above 100% utilization and memory is available enough for ntop to be used. This leads me to my question, wat could I try to improve the flows that ntop receives. I would very much like to get a 0% drop or if it is inevitable no more than 0.1%. Any advise would be greatly appreciated. I’ll give you an idea how many flows I get per second:

 

Average flows / second (flow)   : 588.9946

Average flows / second (real)   : 726.2820

 

This is done with flow-stat on the dumped data flow-capture gives.

 

Would PF_RING improve ntop performance, or is it a buffer in ntop I need to expand. Or does ntop still use libpcap to get the stream, in which case PF_RING could help a great deal.

 

Thanks in advance,

Mike van Goor.

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to