Most of the "NetFlow Statistics" represent traffic stats contained within the netflow records, ie: the.... "real" transit traffic on your net. Netflow specific data is WAY down at the bottom of the page and will be obvious.
IMHO the quantity and id of the interfaces ntop reports should be REALLY close if not identical to what "show snmp mib ifmib ifindex" reports. I haven't checked to see if mine is 100% identical, but it's close enough I never had to check. A developer would have to answer this for sure. You may want to (well probably won't WANT to) uninstall ntop (completely) and start over again and see if that helps. Else, capture the flows coming from your switch and post here and/or send to Luca. At this point I'm not sure if it's something with ntop itself, your config of ntop, your IOS version, or the netflow export configs in your IOS. G -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Marc Mazuhelli Sent: Monday, July 19, 2010 10:19 AM To: [email protected] Subject: Re: [Ntop] Ntop 3.4-pre3 and Netflow problem: thousands of "interfaces" ? On 10-07-16 11:46, Gary Gatten at [email protected] wrote : > As for interfaces, it includes logical interfaces (VLANs, SVI's, etc.) and the > interfaces numbers are determined by IOS - I forget how, but you can view > them by: "show snmp mib ifmib ifindex". So, you will get some sort of display > for each unique interface from each unique exporter. If the number of > interfaces ntop sees are much different than the number of interfaces on your > exporter (6500), then something is not right. Hello, I was happy to see that ntop ran for the whole weekend without any major problems. This morning I have 245 directories in rrd/interfaces/NetFlow-device.2/NetFlow: much better than the thousands I had after running 10-15 minutes before, but still more than the number of "ifindex" reported by the command suggested by Gary. The result of the "show snmp mib ifmib ifindex" shows that there are 93 VLANs reported by the actual netflow config (that's much more than I thought). The indexes are numbered sequentially from 1 to 93 (they are not listed in order but I sorted the list). Should these numbers correspond to what I see in the "Interface Name/Id" column in the "Plugins => NetFlow => Statistics" page? Because they don't. As mentioned before, I have 3 sections in the "Netflow Statistics" page: "Device 1 - NeFlow-device.2" with the following Inderface ids: 42, 44, 50, 51, 52, 53, 54, 55, 56, 57, 59 and 60. "Device 2 - NeFlow-device.2" with the following Inderface ids: 0, 1, 28, 42, 43, 44, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 76, 77, 78, 79, 84, 112, 144, 154, 156, 157, 158, 224, 234, 235, 237, 240, 252, 257, 288, 312, 335, 390, 395, 420, 471, 546, 547, 1020, 7253, 7331, 13995, 62636 "Device 3 - NeFlow-device.2" with all the interface ids of "Device 2" above, plus the following additional Inderface ids: 68, 69, 70, 82, 95, 96, 100, 116, 120, 132, 137, 155, 168, 170, 174, 180, 192, 198, 206, 208, 232, 233, 236, 260, 274, 300, 311, 313, 314, 315, 316, 320, 327, 336, 360, 264, 380, 384, 389, 391, 392, 393, 394, 406, 416, 426, 432, 456, 467, 468, 469, 472, 473, 474, 480, 504, 520, 540, 545, 548, 549, 551, 552, 553, 576, 600, 623, 624, 626, 628, 630, 631, 632, 639, 656, 660, 684, 701, 702, 706, 707, 709, 710, 711, 720, 780, 782, 785, 786, 788, 789, 790, 840, 857, 858, 862, 867, 868, 869, 900, 924, 936, 946, 947, 960, 984, 1013, 1014, 1019, 1021, 1025, 1026, 1027, 1080, 1091, 1092, 1104, 1105, 1140, 1164, 1170, 1183, 1185, 1188, 1200, 1212, 1248, 1252, 1260, 1264, 1272, 1308, 1320, 1326, 1341, 1368, 1380, 1404, 1482, 1488, 1492, 1559, 1565, 1577, 1578, 1596, 1638, 1656, 1657, 1716, 1735, 2028, 2074, 2277, 2340, 2982, 3493, 3653, 3693, 3749, 4093, 5387, 7235, 7329, 7332, 7409, 7410, 7411, 61118, 61250, 61382, 61580, 61712, 61778, 6/884, 62042, 62108, 62174, 62372, 62438, 62504, 62570, 62702, 62768, 62834, 62900, 62933, 62966, 63032, 63164 As you can see, there are a lot of Interface IDs greater than 93. Gary said: > If the number of interfaces ntop sees are much different than the number > of interfaces on your exporter (6500), then something is not right. It seems that something is, indeed, not right. Any ideas? By the way, what do the Netflow statistics actually mean? Is it the number of bytes and packets of the Netflow records themselves, or the total number of bytes and packets of the flows reported by the Netflow records? Thanks, Marc. -- Marc Mazuhelli, CISSP, GSEC Computer security analyst Service des technologies de l'information Université de Sherbrooke _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
