Hello, I installed ntop 3.4-pre3 (from svn) on RedHat 5.5. I am trying to have it analyse Netflows from a Cisco Catalyst 6500 (we are new to Netflows, it's the first time we use them).
As soon as ntop starts up, it sees and interprets traffic that it receives via Netflow but this only lasts for a while. After just a few minutes, in the "Plugins -> NetFlow -> Statistics" (or "view / Configure") page, the table for "Device 1 - NetFlow-device.2" contains thousands and thousands of lines with different "interface" numbers. The page takes forever to load, especially because every line contains a rrd graph. The lines all contain "10.1.254.254:53853" in the " NetFlow Device" column (this corresponds to the 6500 that is feeding it Netflows), and a number that starts at 0 and is incremented by 1 on each line in the "Interface Name/Id" column. After a few minutes, ntop doesn't show any stats anymore, and the log shows this: Tue Jul 13 10:30:15 2010 **WARNING** RRD: mkdir(/var/run/ntop34/rrd/interfaces/NetFlow-device.2/NetFlow/65522_16790297 4_53853/), error 31 Too many links Tue Jul 13 10:30:15 2010 **WARNING** RRD: rrd_create(/var/run/ntop34/rrd/interfaces/NetFlow-device.2/NetFlow/65522_167 902974_53853/ifInOctets.rrd) error: creating '/var/run/ntop34/rrd/interfaces/NetFlow-device.2/NetFlow/65522_167902974_538 53/ifInOctets.rrd': No such file or directory At this point the "rrd/interfaces/NetFlow-device.2/NetFlow" directory contains 31999 directories with names like: 24253_167902974_53853, 2415_167902974_53853 or 39447_167902974_53853. Something seems wrong all these "interfaces" should not be separated, they all come from the same Netflow! Any idea on what I can do to fix this? Thank you very much, Marc. -- Marc Mazuhelli, CISSP, GSEC Computer security analyst Service des technologies de l'information Université de Sherbrooke Sherbrooke, Quebec, Canada. _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
