I have several VPN concentrators all terminating IPSec tunnels. This is NOT tunneled in UDP - pure IPSec IP only (IP type 50/51) traffic. This traffic appears to be counted correctly in throughput and total data TX/RX, but protocol distribution doesn't account for it at all. For example, I have a concentrator that has TX 450GB total, yet Protocol Distribution has less than 100MB counted, looks to be mostly ICMP control packets and udp 500 for ISAKMP. Will the -p | --protocols help this?
Also, the IP Distribution is pretty much always wrong. Seems almost any host I pick that's running mostly http, https, smtp, etc. - the graphs display a color that represents "other" or some bogus protocol I know doesn't make up 100% of that hosts traffic. For example, I have an http/https server that has ~ 45GB of total traffic. Protocol Distribution accounts this accurately as 100% TCP and has the proper ratio to TX and RX. However, IP Distribution Pie chart is 100% yellow 0 which is "other". If you scroll down a little further to TCP/UDP Service/Port Usage, it shows ~ 45GB on 443/https - which is correct. Same thing with a mail (smtp) host. All counters are accurate except the IP Distribution chart that shows the ~15GB of TX traffic is BitTorrent and the ~15GB of RX traffic is either telnet or ftp - show shade of blue. No "MAIL" traffic at all! Yet the TCP/UDP Service/Port Usage accurately counts the traffic as SMTP. This is 3.2.1 on FreeBSD. Exclusively netflow. This isn't a show stopper - just something that's been bugging me for some time now. Thanks! Gary <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
