PS: Narrowing it to IP is easy if you have Ci$co - probably others - managed switches / routers; use IP accounting - per IP stats. If you have Ci$co you can use NBAR "protocol discovery" and narrow down the ports as well. NBAR has a MIB so you could even configure your Cacti to collect it.
Also, yes, you could run Wireshark or whatever. Config it to start / stop capturing at a certain time (or other trigger) and then review the data when you get in. G -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of James Chase Sent: Thursday, July 30, 2009 1:49 PM To: [email protected] Subject: Re: [Ntop] Identifying Inbound Network Traffic Thanks for your reply. I am looking at the reports within hours of the data spike but am not dumping data to MySQL yet. I guess what I am looking to do is zoom in on the Mail Protocol graph for instance, select a time period and see information similar to what is available in Remote -> Local Traffic Report which has statistics on how much data was sent from particular hosts, or even more useful -- a way to see how much data was sent to what host in particular during the selected time period. I don't see a way to get reports like that and isolate that kind of data from the system even before ntop clears it's idle host data Should I be thinking about running ntop with the -B dst host mail.hostname.com and xxx.xxx.xxx.xxx and dump it to a pcap logfile to inspect with ntop later? Or am I missing something in the ntop reporting tools? Thanks again! On 7/30/2009 12:24 PM, Gary Gatten wrote: > You can if you catch it within 24 hours, or even better if you can catch > it real-time. Once sessions / hosts age out from inactivity the details > are hard to get at. Try to view the nTop reports during the suspect > time window. Else, turn up the logging configs in the rrd plugin (watch > your disk space) and / or get the newer(newest) version of nTop that > supports mySql and dump everything there. > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > James Chase > Sent: Thursday, July 30, 2009 11:18 AM > To: [email protected] > Subject: [Ntop] Identifying Inbound Network Traffic > > Hi, > > I'm seeing an inbound traffic spike at our hosting facility early every > morning at roughly the same time through our MRTG and Cacti graphs. We > recently installed NTOP to try and pin down the source and destination > as well as port/protocol of the traffic, but I haven't been able to do > this as effectively as I thought. I know through Cacti which host the > traffic is going to, but it has ~10 virtual IP's and due to a limitation > > of the SNMP protocol I can't limit it to which IP exactly. > > But a more general question, is there a good way to get this information > > with NTOP? Taking a certain time period and identifying the association > of a traffic spike; where the data is going to and where it is coming > from, and on which port? I really want to drill down during the time > period in question but the more detailed stats seem more cumulative. > > Should I just be sampling output to a file during the period in > question? Are there other useful plugins for this? > > Thanks for any help, > James > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > --- > [This E-mail scanned for viruses by Declude EVA] > > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
