Check out the "-o | --no-mac" switch. You need to have a good understanding of how traffic flow through your net to make sure traffic isn't missed or counted more than once. (2) interfaces on a single router is easy. Twenty interfaces on a router and/or multiple routers with several interfaces can get tricky. Basically, if the same flow travels through more than two interfaces anywhere that you're monitoring - be careful!
Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Liberatore Sent: Friday, February 29, 2008 10:52 PM To: [email protected] Subject: Re: [Ntop] total traffic understanding -chart andtable Discrepancies I think i may have finally figured out the problem where remote to local was not displayed. it would show a download from a host as traffic on the gateway, not on the actual host, so i would download a 100mb file to the host, but the host will still show received of lets say "120kb" but the gateway would show the full 100mb. well pulling my hair out, i went against the docs, i disabled ip flow on my wan interface and enabled it only on my lan interface (fa0) and then set ingress AND egress on that interface, i think its now working! It downloaded a 100mb file to a host and for the first time that host acutally has the 100mb received! This solves my problem and i think part of yours. let me know. --- Gary Gatten <[EMAIL PROTECTED]> wrote: > PS: This chart combines the ingress and egress > throughput and displays the total throughput. IE: > I currently have 21Mb/s egress and 11Mb/s ingress, > and Network Load Stats is showing me 31Mb/s. > > Also - it is bits - not Bytes. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Gatten > Sent: Thursday, February 28, 2008 9:58 AM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding > -chart andtable Discrepancies > > That's what I thought - but wanted to make sure. > This has always been accurate for me and I've tested > using Iperf to blast all different type of tcp/udp > traffic, different frame sizes, etc. > > You need to make sure netflow is properly configured > on your router. Depending on your IOS you'll have > different options. Older versions netflow only > counts output from an interface, so to account for > all traffic you would need to enable netflow on at > least two interfaces. Newer IOS you can enable > ingress and egress on the same interface. > > Check that out or post the netflow config from your > router. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Redder,Greg > Sent: Thursday, February 28, 2008 9:44 AM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding > -chart andtable Discrepancies > > > Hi Gary, > > I'm sure I have something misconfigured or I am > misinterpreting the output, but I go to the Summary > Menu and choose "Network Load". The graph I was > referring to and was in the attached pictures on the > original message come from the "Last 10 Minutes > throughput" graph: http://x.x.x.x/thptStats.html > > ..And yes, cricket is doing the math to convert the > bytes to bits on the graphs I'm using for > comparison. > > I have tried this with both Firefox and IE. I don't > think it's a refresh issue, because if I stop the > flows coming into the ntop box, the graphs go to 0 > pretty quickly and start to graph traffic again as > soon as I turn the flows back on. > > Not sure what I'm missing here but, thanks! --Greg > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Gatten > Sent: Wednesday, February 27, 2008 3:42 PM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding - > chart andtable Discrepancies > > I've done extensive testing with netflow and nTop > throughput and have found it to be pretty accurate > "most" of the time. Better stated, there's only > been a few instances where the numbers were WAY off > and I think it had/has something to do with the > refresh rate of the browser. > > The SNMP MIB actually tracks "Octets" (roughly > bytes) tx and rx. If Cricket is displaying things > in bps, it's doing the math internally. > > When you say the nTop "Network Throughput Graph" - > what's the link/URL you're using? I want to make > sure we're talking about the same thing and then > I'll try to help. > > The rrd history is ... "whacked" - but the realtime > stats (per host and global network) have been > accurate for me using netflow. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Redder,Greg > Sent: Wednesday, February 27, 2008 4:19 PM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding - > chart andtable Discrepancies > > > Gary, Fernando, NTOP folks, > > I've been noticing some similar discrepancies in the > network throughput tables that are either a > misunderstanding on my part or inaccuracy on the > ntop part. It's important to note that my ntop > boxes run on flow data and not sniffing the actual > port. I'm running ntop 3.2 on Fedora Core 6 boxes. > > I have another snmp tool (Cricket) that polls our > router's physical interface every 1 minute and > graphs the input and output bits/sec and I have > experience that shows this tool is highly accurate. > Last week, I noticed that one of the networks was at > 90+Mbits/sec for over an hour. However, the ntop > throughput graph for that same network list quite a > different number. The network throughput graph in > ntop listed a current throughput of 41.2M and an > average of 46.6M. I've attached the graphs as > reference. > > > > > If the 41.2M means megabytes and there is a line > for every 30 seconds on the 10 Minute graph, that > means 41.2Megabytes went through in 30 seconds which > equals 11Mbits/sec. > > Now, if the 41.2 is Megabits/sec, that's wrong too > when I have a host pumping 90Mbits one way into the > link. My load should be 90Mbits/sec plus whatever > else is going in/out the link. > > Maybe this is a problem with me using flowdata, but > I have other ntop probes that sit "in-line" on the > links they analyze and they are not accurate either. > > Maybe I'm just not interpreting the graphs properly > and maybe there's something I can do to help figure > this out??? > > Thank you --Greg Redder > Network Analyst > Colorado State University > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Gatten > Sent: Wednesday, February 27, 2008 2:42 PM > To: [email protected] > Subject: Re: [Ntop] total traffic understanding - > chart and table Discrepancies > > I am now noticing a very similar instance to yours > in "Global Protocol Distribution". I have 88.7% > TCP, 3.1% UDP 0% ICMP. These percentages are > accurate given the values: Total IP is 9.6GB; TCP > is 8.5GB; UDP is 303.3MB, ICMP is 1.3MB. So, > there's about 800MB worth of "other" data that's not > accounted for which would also equal the missing 8%. > > > > -----Original Message----- > From: Gary Gatten > Sent: Wednesday, February 27, 2008 3:14 PM > To: '[email protected]' > Subject: RE: [Ntop] total traffic understanding - > chart and table Discrepancies > > Unfortunately I can't answer your specific question. > I'd say rounding error, but your values are too far > apart for that. > > I have some similar type issues as well. For > example, the rrd data available with historical > views isn't even close to the real-time and more > accurate data. Also, some of the counters within > rrd contradict themselves. > > My Summary Traffic says I have 99.9% unicast in the > table, but the pie chart color tells me I have 99.9% > MULTICAST. > > There are a number of other anomalies that I can't > recall right now. I haven't spent as much time in > the nTop GUI lately. > > === message truncated === ________________________________________________________________________ ____________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
