I wondered if some of my test findings might be useful to others. I've been running ntop with the netflow and rrd plugin monitoring internal IP addresses at an internet peer.
Here's the details. ntop 2.2c running on a PIII750 with 512MBram. Debian Linux 2.4 kernel. (Knoppix distro), compiled on the box. Command line: usr/local/bin/ntop -d -L -u ntop -w 3000 -p /etc/ntop/protocol.list -P /var/lib/ntop -a /var/lib/ntop/access.log -i eth0 -t 0 -O /var/log/ntop/ -z --ignore-sigpipe -g -n -o -r 300 -m x.y.z.a/22,b.c.d.e/16 -C -M -e 40 I'm using the netflow plugin and sampling one in 10,000 packets with 2 juniper routers working at about 300Mbps average throughput. Thats only about 2 packets per second of netflow data (containing 30 flow records each.) I also have the rrd plugin running and logging a small range of internal addresses (30 hosts) I have 10,000 internal customers and after 24 hours, ntop was running fast and stable having seen about 9000 different internal IP addresses. CPU very low (2% or lower) average load < 0.5. [update - its been stable for a week now] Then, the fun bit - i removed the -g flag so that ntop would monitor ALL addresses (including internet addresses) and re-started. It lasted 45 minutes before it got slow (ran out of main memory I think) It had logged over 40,000 hosts at that point. At about 50 minutes I lost the http interface and had to stop the process. 45000 hosts were logged. CPU level was low at around 5%. Memory useage was something like 750MB. Protocol list was long and might be useful to some people. Not perfect but a good indiator. FTP=ftp|ftp-data,HTTP=http|www|https,8080=8080,DNS=name|domain,Telnet=telnet |login,MailClient=pop-2|pop-3|pop3|kpop|imap|imap2|imaps,SMTP=smtp,SNMP=snmp |snmp-trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-status,X11=6000-6010,SSH =ssh,RTSP=554,Edonk=4661-4668,BitTorrSeed=6969,Bittor=6881-6999,Fasttrack=12 14,Gnutel=6345-6349,WinMX=6699,WindowsNet=135|137|139|445,BackOrifice=31337, MSSQL=1433,SQLSlammer=1434,MyDoom=3127,Trinoo=27444,Dameware=6129,Blackjack= 1025,BackDoorsetup=5000,isakmp=500,halflife=27015,Subseven=27374,dditcp1=888 8,Crackdown=4444,RDP=3389 All in all NTOP is giving me some really helpful stats. My only small gripe is that the AS number information is not sortable so I have to copy it into a spreadsheet. But apart from that - well done to everyone involved. Steve. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
