192.168.240.241:38884 pkt=7/len=2428 sAS=0/dAS=0 flags=[(null)]
(proto=1133696252)
could be there should be an htons() or htons() in the traceEvent():
#ifdef DEBUG
traceEvent(CONST_TRACE_INFO, "NETFLOW_DEBUG: %2d) %s:%d <-> %s:%d
pkt=%u/len=%u sAS=%d/dAS=%d flags=[%s] (proto=%d)",
i+1,
_intoa(a, buf, sizeof(buf)), sport,
_intoa(b, buf1, sizeof(buf1)), dport,
ntohl(the5Record.flowRecord[i].dPkts), len,
ntohs(the5Record.flowRecord[i].src_as),
ntohs(the5Record.flowRecord[i].dst_as),
theFlags, the5Record.flowRecord[i].prot);
#endif
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But that's minor...
IP vs. Non-IP Sent IP 50.0 % Non-IP 50.0 %
Data Sent Stats Local 50.0 % Rem 50.0 %
The stuff in the summary reports, e.g. Network Traffic: Total Data
(Sent+Received) is for the selected reporting NIC only.
The stuff in the per host report - void printHostDetailedInfo(HostTraffic
*el, int actualDeviceId) - while it lists actualDeviceId in the header,
never references it... So the host record has to be being updated ONCE in
netflowPlugin.c based on the netFlow record and once in pbuf.c...
It still sounds like it's seeing the traffic twice, once in some
encapsulated format with an unrecognized protocol, so it's classifying it as
non-ip... The extra packets are probably the netFlow packets themselves.
The % calc is (el->ipBytesRcvd.value*100)/el->bytesRcvd.value
In netFlow.c, the two counters get incremented in parallel:
srcHost->bytesSent.value += len, dstHost->bytesRcvd.value +=
len;
srcHost->ipBytesSent.value += len, dstHost->ipBytesRcvd.value +=
len;
Whereas in pbuf.c they're incremented separately.
void updatePacketCount(HostTraffic *srcHost, HostTraffic *dstHost,
TrafficCounter length, int actualDeviceId) {
...
incrementTrafficCounter(&srcHost->bytesSent, length.value);
But the ipBytesSent is updated in processIpPkt() based on the L/R setting
for IP traffic:
incrementTrafficCounter(&srcHost->ipBytesSent, length),
incrementTrafficCounter(&dstHost->ipBytesRcvd, length);
if(subnetPseudoLocalHost(srcHost)) {
if(subnetPseudoLocalHost(dstHost)) {
incrementTrafficCounter(&srcHost->bytesSentLoc, length);
incrementTrafficCounter(&dstHost->bytesRcvdLoc, length);
} else {
incrementTrafficCounter(&srcHost->bytesSentRem, length);
incrementTrafficCounter(&dstHost->bytesRcvdLoc, length);
}
} else {
/* srcHost is remote */
if(subnetPseudoLocalHost(dstHost)) {
incrementTrafficCounter(&srcHost->bytesSentLoc, length);
incrementTrafficCounter(&dstHost->bytesRcvdFromRem, length);
} else {
incrementTrafficCounter(&srcHost->bytesSentRem, length);
incrementTrafficCounter(&dstHost->bytesRcvdFromRem, length);
}
}
Thoughts:
Switch among the NICs and see if you have any values for that host other
than on the netFlow device?
What do you see if you use tcpdump to capture the packets in a combined
format?
tcpdump -c mmm "(udp and dst port 2055) or (host 192.168.42.xx)"
That is any netFlow record (you could add host dst yourip to limit it) or
anything to/from the USA host...
Question - since you have a VPN connection, what makes you think the ONLY
traffic over that tunnel is the netFlow records???
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric
Greenwood
Sent: Sunday, March 09, 2003 4:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] IP L-R traffic stats vs Host Info traffic stats
Thx Burton, maybe I should explain my architecture re the seeing traffic
twice. I am in NZ, and am receiving Netflow records from a VPN connection to
a router in USA, so no possibility of seeing traffic twice, via the local
interface.
To test this further, I enabled the debug like this in netflowplugin.c.
char buf[LEN_SMALL_WORK_BUFFER], buf1[LEN_SMALL_WORK_BUFFER];
traceEvent(CONST_TRACE_INFO, "%2d) %s:%d -> %s:%d pkt=%u/len=%u
sAS=%d/dAS=%d flags=[%s] (proto=%d)",
i+1,
_intoa(a, buf, sizeof(buf)), sport,
_intoa(b, buf1, sizeof(buf1)), dport,
numPkts, len,
ntohs(the5Record.flowRecord[i].src_as),
ntohs(the5Record.flowRecord[i].dst_as),
theFlags, the5Record.flowRecord[i].prot);
and have a command line like this, focused on a switch that is snmp polled
every 5mins by my management station.
/usr/local/bin/ntop -u flow -P /flow/ntop_db/ -p /flow/ntop_db/plist -t 5 |
gawk /192.168.64.241/
and every 5mins I get some records like this.
09/Mar/2003 21:27:56 [netflowPlugin.c:239] 14) 192.168.64.241:161 ->
192.168.240.241:38877 pkt=1/len=112 sAS=0/dAS=0 flags=[(null)]
(proto=1133696252)
09/Mar/2003 21:27:56 [netflowPlugin.c:239] 15) 192.168.64.241:161 ->
192.168.240.241:38878 pkt=1/len=236 sAS=0/dAS=0 flags=[(null)]
(proto=1133696252)
09/Mar/2003 21:27:56 [netflowPlugin.c:239] 24) 192.168.64.241:161 ->
192.168.240.241:38880 pkt=1/len=307 sAS=0/dAS=0 flags=[(null)]
(proto=1133696252)
09/Mar/2003 21:27:56 [netflowPlugin.c:239] 29) 192.168.64.241:161 ->
192.168.240.241:38884 pkt=7/len=2428 sAS=0/dAS=0 flags=[(null)]
(proto=1133696252)
ignoring the proto field ( it should be udp or protol 17 ? ) this adds up to
sent 10 pkts, 3083 bytes ( Netflow V5 records)
The L-R sreen on Ntop has this ( The Netflow plugin has 192.168.64.0/24 as
the local subnet)
Local to Remote IP Traffic
Host IP Address Data Sent Data Rcvd
switch.mydomain.com 192.168.64.241 3.0 KB 1.8 % 0 0.0
which seems correct.
But clicking on the host link, to get the detailed host stats, gives this...
Info about host switch.mydomain.com
IP Address 192.168.64.241 [unicast]
First/Last Seen 03/09/03 21:27:56 - 03/09/03 21:27:56 [0 sec]
Domain mydomain.com
Host Location Local (inside specified/local subnet)
Total Data Sent 6.0 KB/14 Pkts/0 Retran. Pkts [0%]
Broadcast Pkts Sent 0 Pkts
Data Sent Stats Local 50.0 %
Rem 50.0 %
IP vs. Non-IP Sent IP 50.0 % Non-IP 50.0 %
Total Data Rcvd 0/0 Pkts/0 Retran. Pkts [0%] Data Rcvd Stats Local 0 %
Rem 100 %
Sent vs. Rcvd Pkts Sent 100 % Rcvd 0 %
Sent vs. Rcvd Data Sent 100 % Rcvd 0 %
which is double the L-R stats for data volumes ( 3.0Kb to 6.0 KB) and 14
pkts ?? IMHO should have been 3.1 KB and 10 pkts.
and the IP vs non-IP ?? should be 100% IP.
This is the difference or doubling that I was focusing on, between the L-R
display (and this doubling is also apparent for all R-L, R-R display too),
and the detailed host information display.
Hope you can shed some light on this for me...
Maybe that the proto field is not right is a clue here - it should be a
valid protocol number at this point in the Netflow record dissection code ?
the router view is this....
SrcIf SrcIPaddress DstIf DstIPaddress Pr TOS Flgs
Pkts
Fa0/0 192.168.64.241 Tu23 192.168.240.241 11 00 10
7
another example is this..
debug has this...
192.168.64.241:0 -> 192.168.240.241:0 pkt=4/len=368 sAS=0/dAS=0
flags=[(null)] (proto=1133696252)
L-R display...
192.168.64.241 368 0.5 %
host detail...
Total Data Sent 736/5 Pkts/0 Retran. Pkts [0%]
again, you can see the host detail numbers are exactly doubled for bytes,
and "one" extra packet recorded.
also, if I export the hosts ( dump data) I see two 'bytesSent' fields - one
the double of the other -I am not sure what to make of that.....
regards
Eric.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Burton M. Strauss III
Sent: Saturday, March 08, 2003 1:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] IP L-R traffic stats vs Host Info traffic stats
Because you're seeing the traffic twice
Because you're seeing the traffic twice
It depends on where you have your ntop sensors.
+-----------+
| Switch & | +------+
| netFlow |--------network----------| ntop |
| generator | | +------+
+-----------+ hostX
Host X -> www3.abc.com
ntop sees it
1) From the switch via netFlow
2) Directly
But, if you haven't set the local host addresses on the netFlow plugin, #1
isn't classified as L->R.
Using netFlow, you need to be very careful not to duplicate traffic.
-----Burton
US-based commercial support for ntop:
http://www.ntopsupport.com
mailto:[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric
Greenwood
Sent: Thursday, March 06, 2003 8:40 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] IP L-R traffic stats vs Host Info traffic stats
I am wondering why the L-R, R-L traffic stats are always exactly 50% of the
detailed host traffic stats ??
In the L-R screen, data sent is 664, but in the host detail screen ( info
about host) traffic is doubled at 1.3KB. Same for the received traffic
counters.
This doubling is for every host listed, and short of counting the individual
flow records, I just cant figure it out.
Any ideas please ?
Eric
Local to Remote IP Traffic
Host IP Address Data Sent Data Rcvd
HOST1 x.x.x.210 664 0.6 % 5.9 KB 11.2 %
Info about host HOST1
IP Address x.x.x.210 [unicast]
Host Location Local (inside specified/local subnet)
Total Data Sent 1.3 KB/10 Pkts/0 Retran. Pkts [0%]
Total Data Rcvd 11.8 KB/29 Pkts/0 Retran. Pkts [0%
Eric Greenwood
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
