Frank ntop "classic" is not designed for speed. ntopng is designed for speed: http://www.ntop.org/ntop/its-time-for-a-completely-new-ntop-say-hello-to-ntopng/
Please stay tuned as within a week or so we will release the first version Luca On May 28, 2013, at 8:49 PM, "Eargle, Frank" <[email protected]> wrote: > I am attempting to sample traffic on an Intel e1000e. The network in > question runs around 250 Mb/s traffic during the day. There are around 10K > computers on the inside. > > Using ntop 4 with or without PF_Ring, I get 0.1% packet drop. Running ntop > 5.0.1 it running up to 650% dropped packets. It says libpcap is the one > dropping, but snort is not having the same issues. When I turned off > protocol analysis under 5.0.1 it dropped to 3 or 4 percent drops. Thinking > it was the capture itself, I tried pf_ring on both snort and ntop. It didn't > seem to help the drops on ntop. It did lower cpu utilization on snort a good > bit. > > I have DNS resolution turned off on both, track local hosts is on for both > versions of ntop. > > If I run three instances of ntop 5.0.1, 1 for udp, tcp without port 80 and 1 > with only tcp 80, that instance drops the traffic. The other two instances > do fine. > > Is there a way to make ntop 5.x use only the same protocol (read port) based > analysis and turn off the nDPI? Or is something else causing this? > > Also how can it drop 650% of the traffic? It's injecting packets? > > Thanks > > -F > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev
_______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
