This shows the routing of the flows through ntop's handing... it's the audit
trail - read though plugins/netFlowPlugin.c...
Gives: # Pkts Received 7,561
Less: # Pkts with bad version 0
7561 - 0 = 7561
Gives: # Pkts processed 7,561
# Flows per packet(avg) 30.0
30 * 7561 = 226830 individual flow records
# Flows received 226,830
Flows can be ignored for various superficial reasons:
Less: # Flows with zero packet count 0
Less: # Flows with zero byte count 0
Less: # Flows with bad data 0
This then is the # actually processed:
Gives: # Flows processed 226,830
Ignored Flows
Or ignored for more profund (really, it's not simple vs. profound, it's just
rejected further along in the code) reasons:
port zero 8427
means that sport or dport were 0 and the flow is ignored...
in handleIP() 55417
comes from this code:
if(handleIP(dport, srcHost, dstHost, len, 0, 0, actualDeviceId)
== -1)
if(handleIP(sport, srcHost, dstHost, len, 0, 0, actualDeviceId)
== -1) {
flowIgnoredInHandleIP++;
or it's relative (ntop chooses the lesser of sport/dport as the assumed
'server port'):
if(handleIP(sport, srcHost, dstHost, len, 0, 0, actualDeviceId)
== -1)
if(handleIP(dport, srcHost, dstHost, len, 0, 0, actualDeviceId)
== -1) {
flowIgnoredInHandleIP++;
where handleIP (the ntop routine in pbuf.c, around line 87) returned -1,
indicating it couldn't process the flow record:
int handleIP(u_short port,
HostTraffic *srcHost, HostTraffic *dstHost,
u_int _length, u_short isPassiveSess,
u_short p2pSessionIdx, int actualDeviceId) {
int idx;
Counter length = (Counter)_length;
if((srcHost == NULL) || (dstHost == NULL)) {
traceEvent(CONST_TRACE_ERROR, "Sanity check failed (4) [Low memory?]");
return(-1);
}
if(isPassiveSess) {
/* Emulate non passive session */
idx = myGlobals.FTPIdx;
} else {
if(p2pSessionIdx) {
switch(p2pSessionIdx) {
case FLAG_P2P_GNUTELLA:
idx = myGlobals.GnutellaIdx;
break;
case FLAG_P2P_KAZAA:
idx = myGlobals.KazaaIdx;
break;
case FLAG_P2P_WINMX:
idx = myGlobals.WinMXIdx;
break;
case FLAG_P2P_DIRECTCONNECT:
idx = myGlobals.DirectConnectIdx;
break;
default:
idx = -1;
break;
}
} else
idx = mapGlobalToLocalIdx(port);
}
if(idx == -1)
return(-1); /* Unable to locate requested index */
else if(idx >= myGlobals.numIpProtosToMonitor) {
traceEvent(CONST_TRACE_ERROR, "Discarding idx=%d for port=%d", idx,
port);
return(-1);
}
It could be an unknown form of P2P software (but p2pSessionIdx should only
be set for recognized ones), so the most common reason is this:
idx = mapGlobalToLocalIdx(port);
which means that you've got traffic on a server port ntop isn't monitoring.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Marco
Teixeira
Sent: Wednesday, June 04, 2003 1:31 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] losing netflows
Hi there...
After searching the list, couldn't find anything that would explain me
whuy this hapens....
Wouldn't you say that it is losing too many flows ? ? ?
What does PORT 0 and IN HANDLEIP() means ?
I'm exporting from Cisco 7500 in version 5 with no aggregation ...
TIA
Marco
Below is a copy past from ntop
Flow Statistics
Flow Senders 192.168.230.254 [7,561 pkts]
Gives: # Pkts Received 7,561
Less: # Pkts with bad version 0
Gives: # Pkts processed 7,561
# Flows per packet(avg) 30.0
# Flows received 226,830
Less: # Flows with zero packet count 0
Less: # Flows with zero byte count 0
Less: # Flows with bad data 0
Gives: # Flows processed 226,830
Ignored Flows
port zero 8427
in handleIP() 55417
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
