If you aren't tracking data on the local NIC, you should be specifying ( or using -i none if data is coming in via netFlow).
Otherwise ntop tries to process all those packets too! -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rader, D. Alan Sent: Thursday, October 06, 2005 3:53 PM To: [email protected] Subject: RE: [Ntop] Sessions Hanging I set up the mirror/span to only look at two vlans which have maybe 50 total PCs in them and it did not make a difference. The NIC ntop is using is in the same vlan as all our servers. It does just fine collecting data that way and there is a lot more traffic between all our servers than there is to the internet. So I don't think it is an issue of the hardware not being able to handle it. Plus it is a gig link monitoring a 100mb link to our firewall. I did try using the -m and one subnet and it still hangs. I think my usage was correct: ntop --no-mac -m 10.1.24.0/24 -w 10.1.12.20:3000 Under show config it lists just the one subnet. It does not seem to work though as I still see other subnets. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Grewell Sent: Thursday, October 06, 2005 2:47 PM To: [email protected] Subject: RE: [Ntop] Sessions Hanging On Thu, 2005-10-06 at 14:18 -0500, Rader, D. Alan wrote: > After more testing, it looks like whenever I watch a mirror port is > when this happens. I have tried all the below switches: > > --no-mac > -n > --numeric-ip-addresses > --no-promiscuous > > None of which made a difference. It doesn't matter if I mirror a > single vlan, or all traffic it causes sessions to hang. If I just > watch the traffic in the subnet that em1 is in, everything is fine. > It doesn't do me any good if I can't watch all traffic coming and > going to/from the Internet. Any ideas? > Are you sure you have enough hardware? My traffic is mostly in the 10MB range, with spikes up to 30 or so. On my 2x866MHz Xeon w/2GB RAM I had to restrict NTop pretty substantially to keep it up at all when watching our WAN link. Defining --local-subnets and then using --track-local-hosts to only watch those hosts in depth made the biggest difference, but it took the whole package in order to reach relative stability. It still crashes from time to time, but nowhere near as frequently as before. Here are the performance-related switches I use: --local-subnets --no-mac --track-local-hosts --disable-sessions --no-fc --disable-decoders HTH, -Aaron _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop -------------------------------------------- ATTENTION: To ensure compliance with applicable Internal Revenue Service Regulations, we inform you that any tax advice contained in this electronic message was not intended or written to be used, and cannot be used, for the purpose of avoiding penalties under the Internal Revenue Code. This message and all attachments are PRIVATE, and may contain information that is CONFIDENTIAL and PRIVILEGED. If you received this message in error, please notify the sender by reply e-mail and delete the message immediately. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
