Each thread should have a unique PID. Then you can look at the log file and associate the PID with a ntop process / function. Or you can run ntop in gdb - it tells you most everything you'd want to know, and a bunch of stuff you don't!
I don't know why changing those settings would cause increased load. Perhaps that's not the only variable? Maybe recompile and install into a temp or dev directory and run that version unchanged and see what happens? I would suspect you'd be able to process at least 2x if not 4x that pps rate without much trouble. It will be interesting to see the resolution to this. I use netflow exclusively so I can't help troubleshoot libpcap stuff much. But, from my experience DNS uses the most CPU - other than libpcap. Maybe try running tcpdump and see how it's CPU and loss compares to ntop? Make sure and capture full packets and maybe throw in-vvv as well. if tcpdump captures "everything" (all data, unfiltered) with little loss and only 30% CPU - then that would be interesting. G -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Nicholas Turner Sent: Thursday, June 17, 2010 3:12 PM To: [email protected] Subject: Re: [Ntop] Track Local Hosts Abnormal CPU Usage Both the switch and NTOP are reporting in the 5500pkt/s to 6500pkt/s, so I think the fiber tap is working fine, NTOP seems to be seeing all of the packets. I tried running top -H (thread view) -p10440 (my ntop PID), but it just shows me a bunch of lt-ntop threads... none showing too much discernible difference that might help me (so maybe I havent got the right arguments!) Infact the only difference seems to be the PR which is 25 =S. It just seems really strange to me that lowering the number of max hosts to 4000 and lower, stops the CPU from hitting the 100% mark and dropping packets, yet when -g/--track-local-hosts is enabled, and the hosts are only ~200, there is constant 100% cpu load and dropped packets. Thanks, Nick Quoting Gary Gatten <[email protected]>: > What do you think your pps is? Can you confirm it with stats from > your switch? > > Run top only on the ntop PID and enable thread view. There's > another arg to top I can't recall right now, but it will help show > you which thread is using the CPU. I'll see if I can find / > remember this. > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Nicholas > Turner > Sent: Thursday, June 17, 2010 1:13 PM > To: [email protected] > Subject: Re: [Ntop] Track Local Hosts Abnormal CPU Usage > > I assume that would be the -n flag? > > Seems to have no effect on my operation with -x 4000 hosts, still same > CPU usage hovering around 60-70%. Tried -n and --track-local-hosts, > after 30 minutes of runtime, ntop has processed 1,798,000 packets, and > libpcap has dropped just shy of 10,000,000 packets, and thinks it has > only seen 197MB of traffic over this time (definitely been more, since > 555% of packets have been dropped). > > So I would have to assume that the name resolution of IP's is not > causing the problem, but thanks for the suggestion! > > On that note, I have also tried the -b flag to disable protocol > decoding, but that did not seem to help my CPU usage. > > Nick > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
