Thx Burton, maybe I should explain my architecture re the seeing traffic twice. I am in NZ, and am receiving Netflow records from a VPN connection to a router in USA, so no possibility of seeing traffic twice, via the local interface.
To test this further, I enabled the debug like this in netflowplugin.c. char buf[LEN_SMALL_WORK_BUFFER], buf1[LEN_SMALL_WORK_BUFFER]; traceEvent(CONST_TRACE_INFO, "%2d) %s:%d -> %s:%d pkt=%u/len=%u sAS=%d/dAS=%d flags=[%s] (proto=%d)", i+1, _intoa(a, buf, sizeof(buf)), sport, _intoa(b, buf1, sizeof(buf1)), dport, numPkts, len, ntohs(the5Record.flowRecord[i].src_as), ntohs(the5Record.flowRecord[i].dst_as), theFlags, the5Record.flowRecord[i].prot); and have a command line like this, focused on a switch that is snmp polled every 5mins by my management station. /usr/local/bin/ntop -u flow -P /flow/ntop_db/ -p /flow/ntop_db/plist -t 5 | gawk /192.168.64.241/ and every 5mins I get some records like this. 09/Mar/2003 21:27:56 [netflowPlugin.c:239] 14) 192.168.64.241:161 -> 192.168.240.241:38877 pkt=1/len=112 sAS=0/dAS=0 flags=[(null)] (proto=1133696252) 09/Mar/2003 21:27:56 [netflowPlugin.c:239] 15) 192.168.64.241:161 -> 192.168.240.241:38878 pkt=1/len=236 sAS=0/dAS=0 flags=[(null)] (proto=1133696252) 09/Mar/2003 21:27:56 [netflowPlugin.c:239] 24) 192.168.64.241:161 -> 192.168.240.241:38880 pkt=1/len=307 sAS=0/dAS=0 flags=[(null)] (proto=1133696252) 09/Mar/2003 21:27:56 [netflowPlugin.c:239] 29) 192.168.64.241:161 -> 192.168.240.241:38884 pkt=7/len=2428 sAS=0/dAS=0 flags=[(null)] (proto=1133696252) ignoring the proto field ( it should be udp or protol 17 ? ) this adds up to sent 10 pkts, 3083 bytes ( Netflow V5 records) The L-R sreen on Ntop has this ( The Netflow plugin has 192.168.64.0/24 as the local subnet) Local to Remote IP Traffic Host IP Address Data Sent Data Rcvd switch.mydomain.com 192.168.64.241 3.0 KB 1.8 % 0 0.0 which seems correct. But clicking on the host link, to get the detailed host stats, gives this... Info about host switch.mydomain.com IP Address 192.168.64.241 [unicast] First/Last Seen 03/09/03 21:27:56 - 03/09/03 21:27:56 [0 sec] Domain mydomain.com Host Location Local (inside specified/local subnet) Total Data Sent 6.0 KB/14 Pkts/0 Retran. Pkts [0%] Broadcast Pkts Sent 0 Pkts Data Sent Stats Local 50.0 % Rem 50.0 % IP vs. Non-IP Sent IP 50.0 % Non-IP 50.0 % Total Data Rcvd 0/0 Pkts/0 Retran. Pkts [0%] Data Rcvd Stats Local 0 % Rem 100 % Sent vs. Rcvd Pkts Sent 100 % Rcvd 0 % Sent vs. Rcvd Data Sent 100 % Rcvd 0 % which is double the L-R stats for data volumes ( 3.0Kb to 6.0 KB) and 14 pkts ?? IMHO should have been 3.1 KB and 10 pkts. and the IP vs non-IP ?? should be 100% IP. This is the difference or doubling that I was focusing on, between the L-R display (and this doubling is also apparent for all R-L, R-R display too), and the detailed host information display. Hope you can shed some light on this for me... Maybe that the proto field is not right is a clue here - it should be a valid protocol number at this point in the Netflow record dissection code ? the router view is this.... SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs Pkts Fa0/0 192.168.64.241 Tu23 192.168.240.241 11 00 10 7 another example is this.. debug has this... 192.168.64.241:0 -> 192.168.240.241:0 pkt=4/len=368 sAS=0/dAS=0 flags=[(null)] (proto=1133696252) L-R display... 192.168.64.241 368 0.5 % host detail... Total Data Sent 736/5 Pkts/0 Retran. Pkts [0%] again, you can see the host detail numbers are exactly doubled for bytes, and "one" extra packet recorded. also, if I export the hosts ( dump data) I see two 'bytesSent' fields - one the double of the other -I am not sure what to make of that..... regards Eric. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burton M. Strauss III Sent: Saturday, March 08, 2003 1:31 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] IP L-R traffic stats vs Host Info traffic stats Because you're seeing the traffic twice Because you're seeing the traffic twice It depends on where you have your ntop sensors. +-----------+ | Switch & | +------+ | netFlow |--------network----------| ntop | | generator | | +------+ +-----------+ hostX Host X -> www3.abc.com ntop sees it 1) From the switch via netFlow 2) Directly But, if you haven't set the local host addresses on the netFlow plugin, #1 isn't classified as L->R. Using netFlow, you need to be very careful not to duplicate traffic. -----Burton US-based commercial support for ntop: http://www.ntopsupport.com mailto:[EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Greenwood Sent: Thursday, March 06, 2003 8:40 PM To: [EMAIL PROTECTED] Subject: [Ntop] IP L-R traffic stats vs Host Info traffic stats I am wondering why the L-R, R-L traffic stats are always exactly 50% of the detailed host traffic stats ?? In the L-R screen, data sent is 664, but in the host detail screen ( info about host) traffic is doubled at 1.3KB. Same for the received traffic counters. This doubling is for every host listed, and short of counting the individual flow records, I just cant figure it out. Any ideas please ? Eric Local to Remote IP Traffic Host IP Address Data Sent Data Rcvd HOST1 x.x.x.210 664 0.6 % 5.9 KB 11.2 % Info about host HOST1 IP Address x.x.x.210 [unicast] Host Location Local (inside specified/local subnet) Total Data Sent 1.3 KB/10 Pkts/0 Retran. Pkts [0%] Total Data Rcvd 11.8 KB/29 Pkts/0 Retran. Pkts [0% Eric Greenwood _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
