Gary can you please share a pcap file of those unrecognized flows? If so, please file a bug on http://bugzilla.ntop.org so I can track it
Thanks Luca On Jun 1, 2011, at 5:40 PM, Gary Gatten wrote: > I was just looking at netflowPlugin.c, and it appears the debug > functions/routines/whatever are disabled? > > I’m trying to track down a problem in 4.0.3 (maybe others) where certain > netflow probes / exporters aren’t recognized by ntop. When using tcpdump I > see udp datagrams arriving on the ntop host destined for the correct port, > however, tcpdump displays “udp bad chksum” for any “packets” larger than > 1300’ish byte. I’ve verified the source routers are fragmenting the netflow > datagram into two packets before sending (goes over a VPN with MTU of 1400), > and using Ethereal I determined the fragments arrive correctly at the switch > port of the ntop host. > > So, is tcpdump misleading me – are the chksums correct and ntop is failing to > deal with these packets for some other reason – or does the OS drop the > packets so nto pnever sees them? > > My other concern is: let’s say the exporter sends a “small” 800 Byte packet > and ntop processes it correctly. I’ll look at ntop netflow stats and see the > exporter listed and I’ll think everything is great. BUT, what if 70% of the > flow data sent is in large / fragmented packets that aren’t … processed by > ntop? My stats will be grossly misleading. > > Hence my efforts to enable netflow debugging, and packet debugging, and > anything to do with packet / netflow receipt and processing to see what’s > going on. > > How should I proceed here? I’m going to try to build as is, but my lack of C > / programming knowledge limits me. > > Thanks! > > Gary > > "This email is intended to be reviewed by only the intended recipient and may > contain information that is privileged and/or confidential. If you are not > the intended recipient, you are hereby notified that any review, use, > dissemination, disclosure or copying of this email and its attachments, if > any, is strictly prohibited. If you have received this email in error, please > immediately notify the sender by return email and delete this email from your > system." --- If you can not measure it, you can not improve it - Lord Kelvin
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
