Jon you have various types of drops - nic drops: you see them with ethtool as the kernel is not aware of them and you believe everything is ok, but instead you are losing packets - pf_ring/pcap drops: packets received by the nic for some reason (e.g. too slow) cannot be dispatched to applications and thus you have drops
Unless you have little traffic, I believe 6 NIC are too many for your system Regards Luca On Sep 13, 2011, at 9:16 PM, Jon Schipp wrote: > Hello all, > > I have a machine that acts as a monitoring device/sensor on my network, it > has 6 NIC's and receives copies of data from my switches via monitor ports. > ntop collects traffic for each interface from various network segments and I > have it set up with -m to avoid aggregation, which is very nice. > > In this particular scenario, should I be using the -C option as well. Though, > the machine isn't a router. Is that what is meant by "traffic exchange" in > the manual. > That's where I'm becoming confused: > > "Using ntop in network mode is extremely useful when installed in a traffic > exchange (e.g. > in the middle of the Internet) whereas the host mode should be used when > ntop is installed on the edge of a network" > > The sensor is located on our LAN. > > Also, I on the traffic reports page of a particular interface where it says: > > Dropped (libpcap): 0.0% 0 > Dropped (ntop): 0.0% 0 > > If the kernel drops packets will that increment the libpcap "dropped" > counter? Or is that something different? Is there a correlation between > kernel and libpcap drops? > Can a kernel drop packets without notifying libpcap and thus having ntop > cease to report it. Tcpdump uses libpcap and reports "dropped by kernel" > after a capture. As of now, > I'm presuming that the "dropped by kernel" amount is the "dropped (libpcap)" > amount and that libpcap is just getting the number(amount) from the kernel > through a bpf function or something. > > Please correct me if I'm wrong. > Thanks! > -- > - Jon > -- > ------------------------------------------------------------------ > > VMB: 812-682-0231 > > Dubois County Linux User Group - http://www.dclinux.org > Southern Indiana Computer Klub - http://sickbits.networklabs.org > Bloomington FOOLS - http://www.bloomingtonfools.org/ > BloomingLabs - http://www.bloominglabs.org > ISSA-Kentuckiana - http://issa-kentuckiana.org > > GPG Key ID: 810903CB > Key fingerprint = 0069 ED69 EABB DF84 5983 AD3C 6C20 BEFD 8109 03CB > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop --- We can't solve problems by using the same kind of thinking we used when we created them - Albert Einstein _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
