|
Why don't you post all the stats - saves me from asking
piecemeal.
-----Burton From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goor, M. van, (ITBE) Sent: Friday, September 09, 2005 7:04 AM To: [email protected] Subject: RE: [Ntop] missing flow data Hi
Burton, First thanks for
replying, but I did forget to tell you that there are no discarded flows. In the
Netflow stats all counters are 0. Number of Flows with
Zero Packet Count 0 Number of Flows with
Zero Byte Count 0 Number of Flows with
Zero Bad Data 0 Number of Flows with
Zero Unknown Template 0 Mike. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss First, try checking the
stats in the netFlow plugin to see why flows are being dropped. It's most
likely port 0 flows (non tcp/ip) stuff... ----- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goor, M. van,
(ITBE) Hello, I have a cisco 6509 which is
configures to do netflow. This stream gets to a machine where flow-tools
captures it. This has been checked and at this point the flow is complete. Then
I use flow-tools to export it (via flow-fanout) to my ntop box. (yes, after the
testing is done, the box capturing will get installed with nProbe, this cannot
be done now, because both mirror ports on the switch are
used). So far so good, on the ntop machine
(which is a dual P4 xeon HTT, linux sees 4 procs and 5GB ram installed) I tested
with flow-tools to check if the stream got over correct. This happened. The
capture on the capture machine was identicall to the capture on the ntop
machine. After this I had high hopes for ntop, thus I installed cvs. Cranked it
up and set the netflow module to capture the stream. So far everything works
great, but ntop misses about 40% of the stream. Now since flow-tools got the
stream okay and was able to dump it to the hard drive without using any cpu time
or a big deal of memory, I thought ntop should be working great
aswell. Obviously I was wrong. The cpu isn’t
spiking above 100% utilization and memory is available enough for ntop to be
used. This leads me to my question, wat could I try to improve the flows that
ntop receives. I would very much like to get a 0% drop or if it is inevitable no
more than 0.1%. Any advise would be greatly appreciated. I’ll give you an idea
how many flows I get per second: Average flows / second
(flow) : 588.9946 Average flows / second
(real) : 726.2820 This is done with flow-stat on the
dumped data flow-capture gives. Would PF_RING improve ntop
performance, or is it a buffer in ntop I need to expand. Or does ntop still use
libpcap to get the stream, in which case PF_RING could help a great
deal. Thanks in
advance, Mike van
Goor. |
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
