Hi Simone, Thanks for the advice. The --ignore-vlans option seems to help as I do not see the duplicates anymore. I do have vlans on my network but it is not a problem for me not to have this separated in the display.
Now I still get odd alerts about HTTP requests not being answered. I'll investigate a bit further but it seems VERY similar to the issue Aaron and Emanuele are discussing in parallel. And, on top of that, it seems Aaron is also using a Unifi device (not the same model but I think the OSes are). Could this be a pointer to the root cause of our issues? Thanks again. Le jeu. 21 mai 2020 à 23:18, Simone Mainardi <[email protected]> a écrit : > Hi, > > > On 21 May 2020, at 14:55, David van Ginneken <[email protected]> > wrote: > > > > Hi everyone, > > > > Starting with ntopng, I have a small issue initially setting it up. > > > > I use port mirroring on a switch to replicate all ports to port 5 where > a dedicated ntopng interface 'listens' (Official package on raspbian 10). > > On that same switch I have my Internet gateway (Unifi USG3P) connected > to port 1. This same device also acts as a DHCP/DNS server. > > > > When mirroring all ports BUT port 1, I receive alerts about thousands of > DNS queries not being answered. I did confirm that with a pcap dump. > > When you monitor just port 1, apart from the DNS queries unanswered > alerts, do you get bi-directional traffic if you look at the flows page? Do > you see the @1? > > > > > So I went and started to mirror port 1 along with others, and the > missing traffic (DNS replies) started to be collected. > > The issue is that with that configuration, all flows are listed twice in > ntop. Internal hosts are showing normally and with "@1" at the end of the > hostname. > > @1 means VLAN=1 so VLAN-tagged packets are received from the mirror port. > VLAN depend on your switch configuration. If you can disregard VLANs you > can use option --ignore-vlans > > > > > Is there a way for ntop to discard this duplicated traffic in the > accounting of ntopng? > > I am not sure the traffic is duplicated. It could be that ntopng is > keeping the two directions of every flow separated due to the VLAN. Let's > continue the investigation depending on your responses. > > Simone > > > It makes sense to me that it is detected as a host's traffic will be > seen on its own switch port and then in many cases on port 1. > > > > Many thanks. > > _______________________________________________ > > Ntop mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
