Hi Paul, > Hi - I have a decent PC machine running OpenBSD (600 CPU/700 MB RAM) > and ntop-current from CVS as of yesterday. I am totally aware that > this is development code but I thought if there was something as far > as OS I could do.
It's perfectly OK to use the current snapshot, it is released as version 2.0 in some days, I think. > Basically, the machine is watching a DS3 running > at about 10-25 MB throughout the day. Almost immediately when starting > ntop, I see packets dropped by the kernel. This continues at a rate > of about 1%-10% until the rate drastically increases and ntop dies. That's normal. I experienced the same. The point is that in the beginning ntop fills his hash. When there are too many hosts in the hash ntop spends a lot of time with purging and so on. The number of hosts ntop has to manage are the interesting thing. > My current ulimit settings are: > > time(cpu-seconds) unlimited > file(blocks) unlimited > coredump(blocks) unlimited > data(kbytes) 1048576 > stack(kbytes) 8192 > lockedmem(kbytes) 240906 > memory(kbytes) 722720 > nofiles(descriptors) 128 > processes 532 > > and I have re-compiled the kernel with: > > option NMBCLUSTERS=8192 > option NKMEMCLUSTERS=8192 > option MAX_KMAP=120 > option MAX_KMAPENT=6000 > > The reason I am not using the release version of ntop is the > -e option for limiting the list of reported hosts. So, with all > that said, do you have any ideas for me as far as compile time options, > kernel tweaks, or other programs that I should be using. I do appreciate > any honesty. ;) What can be done is the following: If you are only interested in a special subnet, in a spacial protocol or such things, you can append tcpdump-like filtering options when starting ntop (change these options via the web interface: "Admin-Change Filter"), for example "ntop <parameters> net A.B.C.0/24", where "A.B.C.0" is the subnet you are interested in. You can also minimize the number of hosts in the hash, but that is currently not supported by ntop, you have to write something in the source code for that. You can set the snaplength to a smaller value (look in the source code of ntop.h and change DEFAULT_SNAPLEN), I think that speeds ntop up a bit, but you loose probably a bit information. That's all I can tell you. CU, Michael -- Michael Weidel, University of Ulm Computing Center Network Administration EMAIL: [EMAIL PROTECTED] WWW (PGP-KEY): http://www.weidel.org/ _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop
