Burton,
Thank you for the response! I'll give it a shot and know what to look for now!
The reason I don't use the Cisco router is that it's a c6509 running Native/Integrated IOS. Neither Netflow nor IP Accounting work properly on this hardware since they reside on the "msfc"/router portion of the switch. I have a TAC case open with Cisco and they are supposedly going to add Netflow support at some point to the Native IOS (it's on their roadmap).
Take care,
Mike
| "Burton M. Strauss III" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 04/02/2003 12:10 PM
|
Subject: RE: [Ntop] ntop netflow plugin or nprobe and gigabit? |
Caterpillar: Confidential Green Retain Until: 05/02/2003 Retention Category: G90 - Information and Reports
Well, I think you've tagged the key question, but I don't have a clue.
Let's do some math...
IIRC a machine of that vintage is PC100 RAM...
(Remember B is byte, b is bit) SDRAM transfers data in blocks of 64 bits at
a time so best case you're going to get 64*100M or 6.4Gbps. Ha ha... see a
rational discussion, such as
http://www.aceshardware.com/read.jsp?id=5000172. Their model gives 229 to
320 MB/s or 1.8-2.56 Gbps
The problem is that it's not just 1 for 1. Rather, the data in the packet
has to be transferred a number of times. At a minimum from the NIC to a
(kernel) memory buffer and from libpcap -> ntop. Real world often
introduces another copy in the network driver and one more from kernel space
to the libpcap (some drivers have a 'zero copy' patch or version that
eliminates one of these).
So that's at least 3 and probably more...
400Mbps * 4 = 1.6Gbps (maybe ok)
400Mbps * 5 = 2.0Gbps (doubt it)
Plus overhead inside ntop. Which isn't small...
The only way to be sure would be to try it and to monitor the kernel,
libpcap and ntop for dropped packets...
check
1. ifconfig
2. The packet queue stats in info.html
Packet queue
Queued to Process.....0
Maximum queue.....0
3. The Global Traffic Statistics page (Stats | Traffic)... which will have
dropped counts if anything's reported through libpcap.
But I doubt it.
If you really need to process that much data, I suggest looking into
netFlow - your Cisco router can perform what's effectively a 30x (or better)
reduction (from a 1500 byte record to a 48 byte flow entry).
nProbe is a dedicated collector and would also provide the same sorts of
bandwidth reduction. I guess I'm curious why you don't let your Cisco
router do it, as it has to process the fool data anyway...
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike D.
Osborne
Sent: Wednesday, April 02, 2003 11:37 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] ntop netflow plugin or nprobe and gigabit?
Importance: High
Hello,
I'm wondering if any has had good luck using the netflow function of ntop
(as a probe) on a PII-500 class (or PII class, in general) collecting on a
Gigabit interface? I am trying to collect netflow data and the target
interface is a Cisco c6509 "port monitor" of a Solaris Gigabit Host. The
Solaris Host sometimes sends/receives at 400+MBit/sec.
I am wondering if ntop netflow plugin or nprobe can keep up with these kind
of speeds by using a PCI Gigabit adapter in a slightly older PII class
machine?
I assume it will keep up if its not doing much disk caching...unless the bus
on this type of machine can't even process that fast.
Thank you.
Michael D. Osborne
Network Infrastructure and Implementation
Caterpillar Logistics Technology Services, L.L.C.
E-Mail: [EMAIL PROTECTED]
Phone: +001 309 266 0693
Caterpillar tie-line: 7 726 0693
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
