Zorg I'm trying to do the same thing.
Currently I've got nfcapd running and am using nfdump to get the best
results.
RRDTool:/var/cache/nfdump# nfdump -R /var/cache/nfdump/ -s record 'net
192.168.88.0 255.255.255.0'
Aggregated flows 2941
Top 10 flows ordered by flows:
Date flow start Duration Proto Src IP Addr:Port
Dst IP Addr:Port Packets Bytes Flows
2011-01-31 12:37:11.520 25864.750 UDP 192.168.2.9:56869 ->
192.168.88.254:6446 1038 33937 980
2011-01-31 12:38:00.820 25804.300 UDP 192.168.88.1:5678 ->
255.255.255.255:5678 864 90720 864
2011-01-31 12:37:18.420 4679.690 UDP 111.251.25.128:11961 ->
192.168.88.254:6446 235 11750 235
2011-01-31 12:37:18.220 4679.690 UDP 192.168.88.254:6446 ->
111.251.25.128:11961 235 11750 235
2011-01-31 12:37:18.220 4659.600 UDP 192.168.88.254:6446 ->
111.249.26.127:31681 234 11466 234
2011-01-31 12:37:18.410 4659.610 UDP 111.249.26.127:31681 ->
192.168.88.254:6446 234 11466 234
2011-01-31 12:38:22.950 15246.630 TCP 111.90.24.88:1877 ->
192.168.88.254:61253 496 29636 185
2011-01-31 12:38:22.750 15249.840 TCP 192.168.88.254:61253 ->
111.90.24.88:1877 471 38112 184
2011-01-31 12:37:15.450 15438.790 TCP 192.168.88.254:61245 ->
213.146.189.201:12350 391 18262 162
2011-01-31 12:37:15.760 15435.470 TCP 213.146.189.201:12350 ->
192.168.88.254:61245 229 9989 162
Summary: total flows: 11373, total bytes: 82.3 M, total packets: 129130,
avg bps: 24398, avg pps: 4, avg bpp: 637
Time window: 2011-01-31 12:18:30 - 2011-01-31 19:48:25
Total flows processed: 13915, Blocks skipped: 0, Bytes read: 733948
Sys: 0.088s flows/second: 158116.0 Wall: 0.075s flows/second: 184801.5
I haven't managed to make it give me a consolidated answer for each ip
in 88.0/24 yet.
I'm also just trying to set up my test network with vlans to see if I
can just report the traffic by vlan (the v9 data does have an option for
this I think - also not 100% sure on that).
Keep reporting back here on how you're going and I'll give updates on my
work, perhaps between us we can crack this nut!
D
On 1/02/2011 12:26 a.m., Zorg wrote:
On 28/01/2011 17:19, Gary Gatten wrote:
I think there may be several ways to achieve what you wish. The
question is, what exactly do you want to split? If it's "all"
traffic data (detailed), you'll need netflow with different logical
netflow interfaces for each of the three interfaces you are
monitoring. If you just want summary data (bytes and packets Tx and
Rx, etc.) grouped by each network range you are monitoring - you can
use clusters / communities; one for each network range.
I have tried to add communities, but i don't see how to use it, i'm
seing community column on host info, but i would like more info, like
traffic by community, summary by community. In fact features likes
VLAN. How can i do?
You network diagram didn't format clearly for me. If you need
additional assistance, please attach network diagram in a txt file
and include what type of network equipment you have. Or, spell out
specifically what problem(s) your trying to address.
HTH
G
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Zorg
Sent: Friday, January 28, 2011 9:57 AM
To: [email protected]
Subject: [Ntop] split result by network
Hello,
I have a network which looks like this :
____
| 1 |
|___|____________
|
|
____ |
| 2 | | ________
|___|____________|ROUTER|__| NTOP |
| |_place_|
|
____ |
| 3 | |
|___|____________|
1 = 192.168.1.0
2 = 192.168.2.0
3 = 192.168.3.0
NTOP = 192.168.4.0
I would like to monitor traffic from place 1, place 2, place 3 to NTOP
place. Is it possible to split info (as if i had 3 differents
interfaces), it will be a "logical split".
An other solution is to put nprobe/netflow on each 1, 2, 3, and to
create 1 interface by nprobe, but i'm afraid that send netflow traffic
and network traffic on the same link full the link, what do you think
about it?
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
<font size="1">
<div style='border:none;border-bottom:double windowtext
2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
