Gary, Sorry for the long delay in getting back to you; I appreciate your help. Currently I have ntop just keeping each nic separate, as the rddtool errors seem to eventually crash ntop.
Anyway, while the switch can put both TX and RX on a single mirrored port...if the network link becomes saturated while trying to mirror all on one port, it will drop packets, and I've got to have that data. Unfortunately, in keeping both nics separate, ntop still doesn't seem to work quite right; while it does not crash, some of the information screens won't display (ie local matrix and sometimes hosts and such), and getting at some of the info is rather awkward. So, I guess, is there any way to guarentee that I'll see all data passing through the mirrored link without compromising the functionality of ntop? It's a great tool for us small departments, but... Thank you. On Wed, Nov 19, 2008 at 10:22 AM, <[EMAIL PROTECTED]> wrote: > Send Ntop mailing list submissions to > ntop@unipi.it > > To subscribe or unsubscribe via the World Wide Web, visit > http://listgateway.unipi.it/mailman/listinfo/ntop > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ntop digest..." > > > Today's Topics: > > 1. some report not working (Gian Sartor) > 2. Re: warning: can't get client address: Bad file descriptor > (Miguel A. Velasco) (Radu Constantinescu) > 3. Re: rrdtool and ntop --no-mac (Gary Gatten) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 19 Nov 2008 12:31:59 -0000 > From: "Gian Sartor" <[EMAIL PROTECTED]> > Subject: [Ntop] some report not working > To: <ntop@unipi.it> > Message-ID: > < > [EMAIL PROTECTED]> > > Content-Type: text/plain; charset="koi8-r" > > Hi All, > > > > I am running ntop v.3.3.6 on Centos 5. I have just got it up and running, > configuring through the web interface. Strangely, some of the pages which > were displaying information at first, are now blank and not showing any > information at all. Summary-> Hosts is blank; IP -> Summary -> Traffic is > also blank. Has anyone experienced this before? Have I made some newbie > mistake I am not aware of? > > > > Gian > > > > > > Kind regards > > Gian Sartor > System Administrator > > Secerno > Seacourt Tower > West Way > Oxford > OX2 0JJ > > Tel: +44 845 450 9460 > > Fax: +44 845 450 9469 > Cell: +44 792 011 6813 > Email: [EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]> Web: www.secerno.com < > http://www.secerno.com/> > > Blog: blog.secerno.com <http://blog.secerno.com/> > > WINNER: Network Products Guide ? SC Magazine ? Computing Awards ? Techworld > ? Red Herring Top 100 > > How Secerno.SQL works: http://www.secerno.com/howitworks/ < > http://www.secerno.com/howitworks/> > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://listgateway.unipi.it/pipermail/ntop/attachments/20081119/376ff61f/attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Wed, 19 Nov 2008 07:34:18 -0800 (PST) > From: Radu Constantinescu <[EMAIL PROTECTED]> > Subject: Re: [Ntop] warning: can't get client address: Bad file > descriptor (Miguel A. Velasco) > To: ntop@unipi.it > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=us-ascii > > Try to run NTOP like: > ntop -u ntop --use-syslog=daemon --no-promiscuous --no-fc -Q /dev/shm -M > -i "eth1,eth2,eth0" & > (adapt to your needs) > where the interesting part is >>> -Q /dev/shm > See if that will help. It did fixed my problems on fedora like a charm. > > Radu > > -------- > > Message: 1 > Date: Tue, 18 Nov 2008 09:05:11 +0100 > From: "Miguel A. Velasco" <[EMAIL PROTECTED]> > Subject: Re: [Ntop] warning: can't get client address: Bad file > descriptor > To: ntop@unipi.it > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Hello all, I have the same problem with ntop in two different servers. I > have ntop-3.3.8-1.el5 in a Centos 5.2 release. > Ntop looks work succesfully but after some minutes it crashes. In > /var/log/messages I have something like this: > > Nov 18 08:59:15 s-analyzer ntop[14534]: warning: can't get client > address: Bad file descriptor > > It repeats n times until ntop crashes.... > I have been trying with different kernel versions but not succesfully. > I have the following /etc/ntop.conf: > > --user root > --db-file-path /var/ntop > --interface eth0,eth1,tun0 > --use-syslog=local1 > --http-server 3200 > --https-server 3203 > --daemon > > I am running at these servers a shorewall firewall, and openvpn service > in a tun0 interface. > > Please, let me know any solution. > Thanks vey much for your time. > > Miguel Velasco. > > > King, Morgan escribi?: > > > > > > I am running Ntop 3.2 on Centos 5.0. I have installed Ntop using yum > > and have also tried compiling it from source. Either way in my > > /var/log/messages I am getting the error saying > > > > > > > > Ntop[6946]: warning: can't get client address: Bad file descriptor. > > > > Last message repeated 49 times > > > > > > > > Sometimes Ntop Crashes after running for just a short time. Other times > > it runs for longer periods of time, the error remains. > > > > > > > > Thank you > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Ntop mailing list > > Ntop@unipi.it > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > > > > > > ------------------------------ > > Message: 3 > Date: Wed, 19 Nov 2008 11:22:30 -0600 > From: "Gary Gatten" <[EMAIL PROTECTED]> > Subject: Re: [Ntop] rrdtool and ntop --no-mac > To: <ntop@unipi.it> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > [EMAIL PROTECTED] I just finished typing a detailed response and Outlook/Word > locked up!!! > > > > Short version, use a single NIC and mirror TX and RX traffic. Your > problem will most likely be solved. > > > > Gary > > > > > > ________________________________ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Derek Gore > Sent: Tuesday, November 18, 2008 12:54 PM > To: ntop@unipi.it > Subject: Re: [Ntop] rrdtool and ntop --no-mac > > > > Gary, > > Well, the switch can do TX or RX only, or both on one port, but in all > three cases I don't get all the info I need. The reason I'm trying to > get the complete data set both ways is to help my little dept figure out > what's loading the network when we see spikes. However, most of the > traffic is highly directional, ie a lot of utilization one way and not > much the other, and yet sometimes it's both (between our file servers > and media editing lab computers, as well as department backups, etc). So > just mirroring one way wouldn't give a very good picture sometimes. > > As for the update times, well, I've left on the default...never had > problems before the dual nics, so I think it's more an issue of trying > to save two things at the update interval sometimes. So, I guess, might > there be a way to ensure all data is saved for a given time in one go? > Or what setting might I change to stop these collisions? > > Thank you, > Derek > > On Mon, Nov 17, 2008 at 10:57 AM, <[EMAIL PROTECTED]> wrote: > > Send Ntop mailing list submissions to > ntop@unipi.it > > To subscribe or unsubscribe via the World Wide Web, visit > http://listgateway.unipi.it/mailman/listinfo/ntop > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ntop digest..." > > > Today's Topics: > > 1. Re: AS number missing (Burton Strauss III) > 2. Re: AS number missing (Luca Deri) > 3. rrdtool and ntop --no-mac (Derek Gore) > 4. Re: rrdtool and ntop --no-mac (Gary Gatten) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 16 Nov 2008 15:58:05 -0600 > From: "Burton Strauss III" <[EMAIL PROTECTED]> > Subject: Re: [Ntop] AS number missing > To: <ntop@unipi.it> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="utf-8" > > The problem with AS numbers is the aggregation. What works for one > individual is a reflection of their connection to the network. > > For example, within the State of XYZ University system, there are > multiple AS#s, one per campus, reflecting traffic flow through the > state-wide network. But the State provides a consolidated network > inter-connection for all campuses and universities to the rest of the > world. So outsiders see the aggregated network AS# only. > > There are organizations that make AS lookups available, but again, it > reflects their position in the network. The best know is Cymru: > http://www.team-cymru.org/Services/ip-to-asn.html > > > -----Burton > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Aurelien BEAUVOIS > Sent: Thursday, November 13, 2008 10:21 AM > To: ntop@unipi.it > Subject: Re: [Ntop] AS number missing > > I've modified the script and there are no problem now... If somebody is > interessed, you can ask me. > > Thanks > > Aurelien > > Le jeudi 13 novembre 2008 ? 14:50 +0100, Aurelien BEAUVOIS a ?crit : > > Hi, > > > > I've already looked for examples but nothing work. > > > > I've found a script in the ntop directory > > (/root/ntop-3.3.8/utils/AS-list.sh) but I've not more AS numbers on > the > > html page Hosts... > > > > Aur?lien > > > > Le jeudi 13 novembre 2008 ? 13:35 +0100, Allan Eising a ?crit : > > > Hi, > > > > > > The AS information is fetched from a text file that is bundled with > > > ntop. This text file has unfortunately not been updated for a long > > > time, thus a lot of AS numbers are missing. If you search this > mailing > > > list you'll find several examples on how to fetch more recent data > > > into your AS-list.txt file. > > > > > > Allan > > > > > > On Thu, Nov 13, 2008 at 12:42 PM, Aurelien BEAUVOIS > > > <[EMAIL PROTECTED]> wrote: > > > > Hello, > > > > > > > > I've activate AS numbers in ntop but some AS numbers missing. > > > > > > > > Have you an idea to resolve this problem ? > > > > > > > > Thanks > > > > > > > > Aur?lien BEAUVOIS > > > > Ikoula > > > > > > > > _______________________________________________ > > > > Ntop mailing list > > > > Ntop@unipi.it > > > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > > _______________________________________________ > > > Ntop mailing list > > > Ntop@unipi.it > > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > _______________________________________________ > > Ntop mailing list > > Ntop@unipi.it > > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ > Ntop mailing list > Ntop@unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > ------------------------------ > > Message: 2 > Date: Mon, 17 Nov 2008 09:23:01 +0100 > From: Luca Deri <[EMAIL PROTECTED]> > Subject: Re: [Ntop] AS number missing > To: ntop@unipi.it > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > An HTML attachment was scrubbed... > URL: > http://listgateway.unipi.it/pipermail/ntop/attachments/20081117/5aaa87d7 > /attachment-0001.html<http://listgateway.unipi.it/pipermail/ntop/attachments/20081117/5aaa87d7/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Mon, 17 Nov 2008 10:43:20 -0700 > From: "Derek Gore" <[EMAIL PROTECTED]> > Subject: [Ntop] rrdtool and ntop --no-mac > To: ntop@unipi.it > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="iso-8859-1" > > Greetings all, > > I've recently been working on a project to setup ntop to the end of > analyzing our network load/traffic so we can better accommodate the > demands > of the network. A test case using a simple machine with a single nic > went > flawlessly. However, when I set up a more powerful machine with 2 nics > to > start production monitoring, I started getting warnings from RRD tool > that > go along the lines of this: > > **WARNING** RRD: rrd_update(/usr/.../ipBytesSent.rrd) error: illegal > attempt > to update using time > > 1109523297 when last update time is 1109523297 > (minimum one second step) > > > I have, of course, researched this problem a little and tried launching > with > the --no-mac option as well as configuring via the web interface to not > trust macs. Nevertheless, the problem persists. > > The setup is a gigabit switch hooked into 2 nics on the monitoring > computer. > One port is mirrored egress, and the other ingress, and I have ntop set > to > merge the stats from both nics. > > Does anyone have any suggestions for how I might be able to fix this? > > Thank you. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://listgateway.unipi.it/pipermail/ntop/attachments/20081117/33e3c404 > /attachment-0001.html<http://listgateway.unipi.it/pipermail/ntop/attachments/20081117/33e3c404/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Mon, 17 Nov 2008 11:56:54 -0600 > From: "Gary Gatten" <[EMAIL PROTECTED]> > Subject: Re: [Ntop] rrdtool and ntop --no-mac > To: <ntop@unipi.it> > Message-ID: > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset="us-ascii" > > I don't think the "no mac" setting will influence these warnings - but > you probably need it anyway (most times you do). > > > > Maybe check the rrd configs and play with the update timers? Also, any > detail you don't "need" disable so that rrd is storing only what you'll > actually use. > > > > Lastly, if your switch supports it maybe have it mirror TX and RX so you > only need a single interface and NIC for monitoring. Merging tends to > distort the details of full duplex traffic. Ie: Is 45Mb/s on a T3 bad? > Well, if the traffic is all unidirectional - say ingress - yea, > probably bad cause that circuit is maxed. If however it's 25 Mb in and > 20 Mb out - maybe not so bad - especially if it's legit traffic. > Openview sometimes treats a full-duplex link like two half-duplex links > merged together: on a T1 running at 1536Kb/s egress it would show up on > reports as 50% utilization when really it's 100% of egress. > > > > Lastly, these warnings are annoying but I don't *THINK* they're causing > any harm. > > > > Gary > > > > > > > > > > ________________________________ > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Derek Gore > Sent: Monday, November 17, 2008 11:43 AM > To: ntop@unipi.it > Subject: [Ntop] rrdtool and ntop --no-mac > > > > Greetings all, > > I've recently been working on a project to setup ntop to the end of > analyzing our network load/traffic so we can better accommodate the > demands of the network. A test case using a simple machine with a single > nic went flawlessly. However, when I set up a more powerful machine with > 2 nics to start production monitoring, I started getting warnings from > RRD tool that go along the lines of this: > > **WARNING** RRD: rrd_update(/usr/.../ipBytesSent.rrd) error: illegal > attempt to update using time > > 1109523297 when last update time is 1109523297 > (minimum one second step) > > > I have, of course, researched this problem a little and tried launching > with the --no-mac option as well as configuring via the web interface to > not trust macs. Nevertheless, the problem persists. > > The setup is a gigabit switch hooked into 2 nics on the monitoring > computer. One port is mirrored egress, and the other ingress, and I have > ntop set to merge the stats from both nics. > > Does anyone have any suggestions for how I might be able to fix this? > > Thank you. > > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext > 2.25pt;padding:0in 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://listgateway.unipi.it/pipermail/ntop/attachments/20081117/96989a15 > /attachment.html<http://listgateway.unipi.it/pipermail/ntop/attachments/20081117/96989a15/attachment.html> > > ------------------------------ > > _______________________________________________ > Ntop mailing list > Ntop@unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > > End of Ntop Digest, Vol 54, Issue 8 > *********************************** > > > > > -- > Derek Gore > Systems Administration (ext 2-3678) > HHP Services > 108 Richards Building > College of Health and Human Performance > Brigham Young University > Provo, UT 84602 > Phone: (801) 422 3678 > Mobile: (801) 602 3997 > > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in > 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://listgateway.unipi.it/pipermail/ntop/attachments/20081119/6e173207/attachment.html > > ------------------------------ > > _______________________________________________ > Ntop mailing list > Ntop@unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > > End of Ntop Digest, Vol 54, Issue 10 > ************************************ >
_______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
