I think i may have finally figured out the problem where remote to local was not displayed.
it would show a download from a host as traffic on the gateway, not on the actual host, so i would download a 100mb file to the host, but the host will still show received of lets say "120kb" but the gateway would show the full 100mb. well pulling my hair out, i went against the docs, i disabled ip flow on my wan interface and enabled it only on my lan interface (fa0) and then set ingress AND egress on that interface, i think its now working! It downloaded a 100mb file to a host and for the first time that host acutally has the 100mb received! This solves my problem and i think part of yours. let me know. --- Gary Gatten <[EMAIL PROTECTED]> wrote: > PS: This chart combines the ingress and egress > throughput and displays the total throughput. IE: > I currently have 21Mb/s egress and 11Mb/s ingress, > and Network Load Stats is showing me 31Mb/s. > > Also - it is bits - not Bytes. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Gatten > Sent: Thursday, February 28, 2008 9:58 AM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding > -chart andtable Discrepancies > > That's what I thought - but wanted to make sure. > This has always been accurate for me and I've tested > using Iperf to blast all different type of tcp/udp > traffic, different frame sizes, etc. > > You need to make sure netflow is properly configured > on your router. Depending on your IOS you'll have > different options. Older versions netflow only > counts output from an interface, so to account for > all traffic you would need to enable netflow on at > least two interfaces. Newer IOS you can enable > ingress and egress on the same interface. > > Check that out or post the netflow config from your > router. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Redder,Greg > Sent: Thursday, February 28, 2008 9:44 AM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding > -chart andtable Discrepancies > > > Hi Gary, > > I'm sure I have something misconfigured or I am > misinterpreting the output, but I go to the Summary > Menu and choose "Network Load". The graph I was > referring to and was in the attached pictures on the > original message come from the "Last 10 Minutes > throughput" graph: http://x.x.x.x/thptStats.html > > ..And yes, cricket is doing the math to convert the > bytes to bits on the graphs I'm using for > comparison. > > I have tried this with both Firefox and IE. I don't > think it's a refresh issue, because if I stop the > flows coming into the ntop box, the graphs go to 0 > pretty quickly and start to graph traffic again as > soon as I turn the flows back on. > > Not sure what I'm missing here but, thanks! --Greg > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Gatten > Sent: Wednesday, February 27, 2008 3:42 PM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding - > chart andtable Discrepancies > > I've done extensive testing with netflow and nTop > throughput and have found it to be pretty accurate > "most" of the time. Better stated, there's only > been a few instances where the numbers were WAY off > and I think it had/has something to do with the > refresh rate of the browser. > > The SNMP MIB actually tracks "Octets" (roughly > bytes) tx and rx. If Cricket is displaying things > in bps, it's doing the math internally. > > When you say the nTop "Network Throughput Graph" - > what's the link/URL you're using? I want to make > sure we're talking about the same thing and then > I'll try to help. > > The rrd history is ... "whacked" - but the realtime > stats (per host and global network) have been > accurate for me using netflow. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Redder,Greg > Sent: Wednesday, February 27, 2008 4:19 PM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding - > chart andtable Discrepancies > > > Gary, Fernando, NTOP folks, > > I've been noticing some similar discrepancies in the > network throughput tables that are either a > misunderstanding on my part or inaccuracy on the > ntop part. It's important to note that my ntop > boxes run on flow data and not sniffing the actual > port. I'm running ntop 3.2 on Fedora Core 6 boxes. > > I have another snmp tool (Cricket) that polls our > router's physical interface every 1 minute and > graphs the input and output bits/sec and I have > experience that shows this tool is highly accurate. > Last week, I noticed that one of the networks was at > 90+Mbits/sec for over an hour. However, the ntop > throughput graph for that same network list quite a > different number. The network throughput graph in > ntop listed a current throughput of 41.2M and an > average of 46.6M. I've attached the graphs as > reference. > > > > > If the 41.2M means megabytes and there is a line > for every 30 seconds on the 10 Minute graph, that > means 41.2Megabytes went through in 30 seconds which > equals 11Mbits/sec. > > Now, if the 41.2 is Megabits/sec, that's wrong too > when I have a host pumping 90Mbits one way into the > link. My load should be 90Mbits/sec plus whatever > else is going in/out the link. > > Maybe this is a problem with me using flowdata, but > I have other ntop probes that sit "in-line" on the > links they analyze and they are not accurate either. > > Maybe I'm just not interpreting the graphs properly > and maybe there's something I can do to help figure > this out??? > > Thank you --Greg Redder > Network Analyst > Colorado State University > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Gatten > Sent: Wednesday, February 27, 2008 2:42 PM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding - > chart and table Discrepancies > > I am now noticing a very similar instance to yours > in "Global Protocol Distribution". I have 88.7% > TCP, 3.1% UDP 0% ICMP. These percentages are > accurate given the values: Total IP is 9.6GB; TCP > is 8.5GB; UDP is 303.3MB, ICMP is 1.3MB. So, > there's about 800MB worth of "other" data that's not > accounted for which would also equal the missing 8%. > > > > -----Original Message----- > From: Gary Gatten > Sent: Wednesday, February 27, 2008 3:14 PM > To: '[email protected]' > Subject: RE: [Ntop] total traffic understanding - > chart and table Discrepancies > > Unfortunately I can't answer your specific question. > I'd say rounding error, but your values are too far > apart for that. > > I have some similar type issues as well. For > example, the rrd data available with historical > views isn't even close to the real-time and more > accurate data. Also, some of the counters within > rrd contradict themselves. > > My Summary Traffic says I have 99.9% unicast in the > table, but the pie chart color tells me I have 99.9% > MULTICAST. > > There are a number of other anomalies that I can't > recall right now. I haven't spent as much time in > the nTop GUI lately. > > === message truncated === ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
