It's a #define parameter - look in globals-defines.h -----Burton > -----Original Message----- > From: Stefan Iaru [mailto:[EMAIL PROTECTED] > Sent: Friday, November 12, 2004 9:04 AM > To: Burton M. Strauss III > Cc: [EMAIL PROTECTED] > Subject: Re: [Ntop-dev] ntop keeps crashing > > > Thank you for the explanation. It seems however I've run up against > another problem: the number of subnets that ntop will consider to be > local : I start it with > -m > 10.117.0.0/24,10.118.0.0/24,10.116.0.0/24,10.113.0.0/24,10.114.0.0 > /24,10.112.0.0/24,10.112.1.0/24,10.153.201.0/24,10.112.3.0/24,10.1 > 10.1.0/24,10.110.0.0/24,10.109.0.0/24,10.111.0.0/24,10.107.0.0/24, > 10.206.0.0/24,10.106.0.0/24,10.205.0.0/24,10.105.0.0/24,10.104.0.0 > /24,10.103.0.0/24,10.152.0.0/24,10.102.1.0/24,10.102.0.0/24,10.156 > .0.0/24,10.102.3.0/24,209.106.200.0/24,209.106.201.0/24,209.106.20 > 2.0/24,209.106.203.0/24,209.106.204.0/24,209.106.205.0/24,209.106. > 206.0/24,209.106.207.0/24,204.185.18.0/24,204.185.19.0/24,66.250.2 > 47.152/32,66.250.247.153/32,24.117.104.161/255.255.255.248,10.124. > 0.0/24,10.123.0.0/24,10.123.1.0/24,10.121.0.0/24,10.120.0.0/24,10. > 219.0.0/24,10.219.2.0/24,10.119.0.0/24,10.119.1.0/24,10.119.2.0/24 > but in the configuration page it shows just > -m 10.117.0.0/24, 10.118.0.0/24, 10.116.0.0/24, 10.113.0.0/24, > 10.114.0.0/24, 10.112.0.0/24, 10.112.1.0/24, 10.153.201.0/24, > 10.112.3.0/24, 10.110.1.0/24, 10.110.0.0/24, 10.109.0.0/24, > 10.111.0.0/24, 10.107.0.0/24, 10.206.0.0/24, 10.106.0.0/24, > 10.205.0.0/24, 10.105.0.0/24, 10.104.0.0/24, 10.103.0.0/24, > 10.152.0.0/24, 10.102.1.0/24, 10.102.0.0/24, 10.156.0.0/24, > 10.102.3.0/24, 209.106.200.0/24, 209.106.201.0/24, 209.106.202.0/24, > 209.106.203.0/24, 209.106.204.0/24, 209.106.205.0/24, > 209.106.206.0/24. > > Is it possible to increase the number of subnets it will consider > local, or should I define some of them as /16 ? > > Thank you, > Stefan. > > > On Thu, 11 Nov 2004 07:50:36 -0600, Burton M. Strauss III > <[EMAIL PROTECTED]> wrote: > > You've answered your own question, but you are too wedded to your own > > certain knowledge that there are only 400-500 hosts. There aren't. > > > > ANY IP address ntop sees is a host. > > > > A host is a host is a host. > > > > A host is something ntop creates a HostTraffic entry for, i.e. stores > > information about. > > > > If there are packets addressed to 200K hosts, then there are 200K hosts. > > > > With --track-local-hosts only, the remote hosts are dumped into 'other'. > > But every LOCAL IP seen per your -m definition of what's local, is a > > HostTraffic entry. > > > > 200K hosts * 2K is 400M of memory. 200K * 12K is 2.4G of memory - it's > > going to depend on what ntop sees in those packets as to how > much per host > > memory it's going to take. > > > > > > > > > > -----Burton > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > > Behalf Of Stefan Iaru > > > Sent: Thursday, November 11, 2004 2:05 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [Ntop-dev] ntop keeps crashing > > > > > > > > > I see it is running out of memory, but my question is why ? It has 1.5 > > > GB of RAM, and nothing else besides ntop is running on that box, and > > > I've also allocated about 8 GB of swap, of which it usually uses 500 - > > > 1000 MB before going down. > > > > > > I just added 10.0.0.0/8 because I have a number of 10.x.0.0/24 > > > subnets, and I was lazy about adding them all in. The number of active > > > nodes usually reaches 4-500, but the most I've seen ntop track is ~ > > > 200 000 (I set the trace level to 4 and monitored the logs). I believe > > > the number gets that high because of viral infections that cause > > > machines to scan inexistent subnets, therefore adding the hosts in > > > ntop's database. > > > > > > I've been modifying the IDLE_PURGE variables, decreasing the time a > > > host needs to be idle in order to be deleted and increasing the number > > > of hosts that can be removed, but I haven't seen any increase in > > > performance, and even though it sometimes deletes 5000 hosts in one go > > > (taking forever to do so), memory utilization doesn't go down. I know > > > the deletion process is time-consuming, but I was hoping it would help > > > some. > > > > > > Perhaps I am taking the wrong approach, so I would appreciate it if > > > you could point me in the right direction, as this tool is saving us a > > > lot of time tracking down infected machines/spammers/hackers etc. > > > > > > Thank you, > > > > > > Stefan. > > > > > > > > > > > > On Wed, 10 Nov 2004 08:49:49 -0600, Burton M. Strauss III > > > <[EMAIL PROTECTED]> wrote: > > > > What do you want... it's CLEAR in the log: > > > > > > > > > > > > > > > > Nov 9 19:30:09 linux ntop[11437]: **FATAL_ERROR** malloc(10384) @ > > > > pbuf.c:122 returned NULL [no more memory?] > > > > Nov 9 19:30:09 linux ntop[11437]: **WARNING** ntop packet > > > capture STOPPED > > > > Nov 9 19:30:09 linux ntop[11437]: NOTE: ntop web server > remains up > > > > Nov 9 19:30:09 linux ntop[11437]: NOTE: Shutdown gracefully and > > > > restart with more memory > > > > Nov 9 19:30:09 linux ntop[11437]: **FATAL_ERROR** malloc(10384) @ > > > > pbuf.c:122 returned NULL [no more memory?] > > > > > > > > ntop is running out of memory, and has handled it gracefully. > > > Even after > > > > the 'crash', the web server should still be up so you can grab > > > textinfo.html > > > > data and post real memory usage info. > > > > > > > > If you can't capture it after the 'crash', then setup a cron'ed > > > wget of that > > > > page to match up to a crash... > > > > > > > > But the $64? is "How many hosts are you really tracking"? With > > > 10.0.0.0/8 as > > > > local, it could be HUGE... > > > > > > > > -----Burton > > > > > > > -- > ------------------------ > Stefan Iaru > http://www.iaru.net
_______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
