Thx for the quick reply.
Switch among the NICs and see if you have any values for that host other than on the netFlow device? well, yes ( but only for that one device I chose to illustrate the problem because the switch is managed by a server local to the LAN that the ntop host is on.) I understood that -M forced packet aggregation off. I also only have managment traffic on my NZ based subnet, not any customer client/server traffic paths, which is the bulk of the data in the displays. Please note that this doubling holds true for all displays ( i.e.) for R-R flows, the summary is correct, the host detail is doubled, and the time stamped ( hourly) buckets are correct example here. This host flow ( verified by last contact) is for a flow that is local to my clients network only, not in any way routed down the management VPN tunnel. Remote to Remote IP traffic 192.168.114.58 336 0.0 % 367 0.0 % - this is correct Host detail Host Location Remote (outside specified/local subnet) Total Data Sent 672/16 Pkts/0 Retran. Pkts [0%] - this is double Broadcast Pkts Sent 0 Pkts Data Sent Stats Local 50.0 % Rem 50.0 % IP vs. Non-IP Sent IP 50.0 % Non-IP 50.0 % Total Data Rcvd 734/18 Pkts/0 Retran. Pkts [0%] - this is double Data Rcvd Stats Local 50.0 % Rem 50.0 % IP vs. Non-IP Rcvd IP 50.0 % Non-IP 50.0 % Sent vs. Rcvd Pkts Sent 47.1 % Rcvd 52.9 % Sent vs. Rcvd Data Sent 47.8 % Rcvd 52.2 % Host Traffic stats Midnight - 1AM 0 0.0 % 0 0.0 % 1AM - 2AM 336 100.0 % 367 100.0 % - this hourly bucket total is correct. 2AM - 3AM 0 0.0 % 0 0.0 % What do you see if you use tcpdump to capture the packets in a combined format? tcpdump -c mmm "(udp and dst port 2055) or (host 192.168.42.xx)" That is any netFlow record (you could add host dst yourip to limit it) or anything to/from the USA host... I only ever see netflow records, as the customer flows are not local to my LAN 02:06:17.275615 router.clientdomain.com.50228 > myntophost.mydomain.com.2055: udp 1464 (frag 52065:[EMAIL PROTECTED]) etc. I agree I would see ethernet packets for the illustrative example, but I only chose that for debugging purposes (ie) I needed a flow that was regular and known, so I could verify each record at source and be certain of the data coming in. But as before, this doubling is for all customer flows, not just those that may also happen to be present on my LAN. Question - since you have a VPN connection, what makes you think the ONLY traffic over that tunnel is the netFlow records??? Because it is routed that way. I have management data and netflow records on that connection. But -M should be in force, so we don't count the local traffic, and R-R flows, or any flow that is not a management flow, will never come my way to be on my LAN. However, the point of all this, is that the remote router counts it all, wraps it up in a netflow packet, and ntop should display what it gets. Ntop is very very good at what is does, if I can just nail the anomaly I am seeing on the host detail stats. Thanks Eric _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
