Apologies in advance if this is a question that’s been answered before – but I haven’t been able to find the question asked anywhere. If it’s in the list archives, double sorry....
My ntop 4.0.3 installation (data source, sflow on Force10 C300 switch) permanently reads ~65% non-IP traffic. Regardless, it seems to paint a very accurate picture of our network traffic as I imagine it to be, just the right amount of memcache, nfs, mysql, etc. All the individual servers, likewise, note around the same amount of non-IP traffic. Currently, it’s been running an hour or two, total traffic = 4.5GB, IP traffic = 1.6GB, non-IP traffic 2.9GB. ARP and STP between them add up to around 5MB. Running tcpdump randomly on my network shows next to zero non IP traffic, 99% of which is ARP anyhow. We run busy websites here, and there’s a LOT of tcp traffic on the network. I sort of assume that somehow I might have noticed an EVEN HUGER volume of non-IP traffic on my switch, but maybe not. But if it’s there, I don’t have clue either what it is or where it’s going. Can anyone tell me if there’s a simple explanation for an ntop installation to mistakenly identify IP traffic as not IP, perhaps due to network or cpu load? Or, can anyone tell me how sflow categorizes a packet as non-IP, so I can trawl through all the packets coming into 6343 on the monitoring machine to see which packets are being marked as non-IP? Obviously, all the sflow packets hitting the machine are UDP/IP, but once past the IP header, how is the sflow part of the packet structured, and how/where does it categorize the packet as non-IP? Presumably the sflow sender packs up the individual packet it’s sampled into one or more sflow packets, but here I’m just guessing. Also, I see this in the log, though less with 4.0.3 than I did with 4.0: Mon Nov 1 14:44:17 2010 **WARNING** packet truncated (8754->8232) Mon Nov 1 14:44:17 2010 **WARNING** packet truncated (8754->8232) Mon Nov 1 14:44:17 2010 **WARNING** packet truncated (8754->8232) It’s not always 8754, sometimes 12450, 9698 or higher, but it’s always 8232. That makes no sense to me either, as all the sflow packets are IP packets of around 1500 or less. Probably unrelated and maybe a bug based on the reading I’ve done? Oh and I found a couple of ntop installations open on the internet: both of them registered > 50% non-IP traffic too. Not a valid sample, of course. Any help would be much appreciated, Barnaby
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
