I am attempting to sample traffic on an Intel e1000e. The network in question runs around 250 Mb/s traffic during the day. There are around 10K computers on the inside.
Using ntop 4 with or without PF_Ring, I get 0.1% packet drop. Running ntop 5.0.1 it running up to 650% dropped packets. It says libpcap is the one dropping, but snort is not having the same issues. When I turned off protocol analysis under 5.0.1 it dropped to 3 or 4 percent drops. Thinking it was the capture itself, I tried pf_ring on both snort and ntop. It didn't seem to help the drops on ntop. It did lower cpu utilization on snort a good bit. I have DNS resolution turned off on both, track local hosts is on for both versions of ntop. If I run three instances of ntop 5.0.1, 1 for udp, tcp without port 80 and 1 with only tcp 80, that instance drops the traffic. The other two instances do fine. Is there a way to make ntop 5.x use only the same protocol (read port) based analysis and turn off the nDPI? Or is something else causing this? Also how can it drop 650% of the traffic? It's injecting packets? Thanks -F
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
