There is only one netflow-device pseudo device - everything ntop sees is aggregated into that as if it were a single physical NIC. If ntop sees the flow twice, it will be counted twice.
-----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff > Mandel > Sent: Monday, May 17, 2004 3:22 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] de-duplicating netflows from multiple devices > > > Hello, > > I have a question about de-duplicating netflows from multiple devices. > > I've been using ntop for netflow collection from a single router and I'm > just now starting to aggregate the netflow data from multiple sources. > > When collecting netflows from several routers, how are duplicate flows > handled? > > For example > +-------+ +-------+ +-------+ +-------+ > | host1 |--> |Router1|--> |Router2|--> | host2 | > +-------+ +-------+ +-------+ +-------+ > > Router1 and Router2 are both sending to the same ntop collector. > +-------+ +---------+ > |Router1|--> |Collector| > +-------+ +---------+ > ^ > | > +-------+ > |Router2| > +-------+ > > When hosts 1 and 2 are talking, the same flow should be collected by > each router, then sent to the collector. The routers are cisco routers > sending v5 netflow data. Does the collector de-duplicate this? > > Additionally, I was comparing ntop to another collector/analyzer from > crannog, who suggests you setup a different udp port on which to listen > for each router sending netflows to the collector. That seems to be it's > way of separating flows. It looks like ntop can only listen to one port. > > Does ntop have a way to separate flows from different devices? > Does it matter? > Would you recommend separating the flows? > > > Thanks, > > Jeff > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
