While troubleshooting my crashes during/after IDLE_PURGE processes, I found a host (CA eTrust) that scans our entire internal network range (all possible host IPs) looking for new ones - a discovery process. Don't ask why it doesn't use multicast for this - seems no one realizes multicast exists and how to use it.
Anyway, this "discovery" causes nTop to "see" almost 50,000 hosts - at which time it crashes. I'm not 100%, but this process runs every 2 - 4 hours depending on TOD, and sure enough - ntop shows a huge spike in host counts and shortly thereafter the host count is zero - cause ntop is DEAD! So - I threw in a blacklist in netflow confs for this host "host not w.x.y.z". Seems to be working, however, now the netflow thread is running 2 - 3 times CPU it did before I added the blacklist entry. Is there really that much overhead in the white/black lists - or am I crazy? TIA! Gary <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
