You've answered your own question, but you are too wedded to your own certain knowledge that there are only 400-500 hosts. There aren't.
ANY IP address ntop sees is a host. A host is a host is a host. A host is something ntop creates a HostTraffic entry for, i.e. stores information about. If there are packets addressed to 200K hosts, then there are 200K hosts. With --track-local-hosts only, the remote hosts are dumped into 'other'. But every LOCAL IP seen per your -m definition of what's local, is a HostTraffic entry. 200K hosts * 2K is 400M of memory. 200K * 12K is 2.4G of memory - it's going to depend on what ntop sees in those packets as to how much per host memory it's going to take. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of Stefan Iaru > Sent: Thursday, November 11, 2004 2:05 AM > To: [EMAIL PROTECTED] > Subject: Re: [Ntop-dev] ntop keeps crashing > > > I see it is running out of memory, but my question is why ? It has 1.5 > GB of RAM, and nothing else besides ntop is running on that box, and > I've also allocated about 8 GB of swap, of which it usually uses 500 - > 1000 MB before going down. > > I just added 10.0.0.0/8 because I have a number of 10.x.0.0/24 > subnets, and I was lazy about adding them all in. The number of active > nodes usually reaches 4-500, but the most I've seen ntop track is ~ > 200 000 (I set the trace level to 4 and monitored the logs). I believe > the number gets that high because of viral infections that cause > machines to scan inexistent subnets, therefore adding the hosts in > ntop's database. > > I've been modifying the IDLE_PURGE variables, decreasing the time a > host needs to be idle in order to be deleted and increasing the number > of hosts that can be removed, but I haven't seen any increase in > performance, and even though it sometimes deletes 5000 hosts in one go > (taking forever to do so), memory utilization doesn't go down. I know > the deletion process is time-consuming, but I was hoping it would help > some. > > Perhaps I am taking the wrong approach, so I would appreciate it if > you could point me in the right direction, as this tool is saving us a > lot of time tracking down infected machines/spammers/hackers etc. > > Thank you, > > Stefan. > > > > On Wed, 10 Nov 2004 08:49:49 -0600, Burton M. Strauss III > <[EMAIL PROTECTED]> wrote: > > What do you want... it's CLEAR in the log: > > > > > > > > Nov 9 19:30:09 linux ntop[11437]: **FATAL_ERROR** malloc(10384) @ > > pbuf.c:122 returned NULL [no more memory?] > > Nov 9 19:30:09 linux ntop[11437]: **WARNING** ntop packet > capture STOPPED > > Nov 9 19:30:09 linux ntop[11437]: NOTE: ntop web server remains up > > Nov 9 19:30:09 linux ntop[11437]: NOTE: Shutdown gracefully and > > restart with more memory > > Nov 9 19:30:09 linux ntop[11437]: **FATAL_ERROR** malloc(10384) @ > > pbuf.c:122 returned NULL [no more memory?] > > > > ntop is running out of memory, and has handled it gracefully. > Even after > > the 'crash', the web server should still be up so you can grab > textinfo.html > > data and post real memory usage info. > > > > If you can't capture it after the 'crash', then setup a cron'ed > wget of that > > page to match up to a crash... > > > > But the $64? is "How many hosts are you really tracking"? With > 10.0.0.0/8 as > > local, it could be HUGE... > > > > -----Burton _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
