Re: [Ntop] de-duplicating netflows from multiple devices

Mon, 17 May 2004 15:19:10 -0700

When collecting from multiple routers where there will clearly be some overlap, where is the appropriate point to filter the duplicates out? Could it be done with ntop filtering expressions?
What are folks doing out there with multiple routers to keep their data from being inflated?


Burton M. Strauss III wrote:

There is only one netflow-device pseudo device - everything ntop sees is
aggregated into that as if it were a single physical NIC.  If ntop sees the
flow twice, it will be counted twice.

-----Burton



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff
Mandel
Sent: Monday, May 17, 2004 3:22 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] de-duplicating netflows from multiple devices


Hello,

I have a question about de-duplicating netflows from multiple devices.

I've been using ntop for netflow collection from a single router and I'm
just now starting to aggregate the netflow data from multiple sources.

When collecting netflows from several routers, how are duplicate flows
handled?

For example
+-------+    +-------+    +-------+    +-------+
| host1 |--> |Router1|--> |Router2|--> | host2 |
+-------+    +-------+    +-------+    +-------+

Router1 and Router2 are both sending to the same ntop collector.
+-------+    +---------+
|Router1|--> |Collector|
+-------+    +---------+
   ^
   |
+-------+
|Router2|
+-------+

When hosts 1 and 2 are talking, the same flow should be collected by
each router, then sent to the collector. The routers are cisco routers
sending v5 netflow data. Does the collector de-duplicate this?

Additionally, I was comparing ntop to another collector/analyzer from
crannog, who suggests you setup a different udp port on which to listen
for each router sending netflows to the collector. That seems to be it's
way of separating flows. It looks like ntop can only listen to one port.

Does ntop have a way to separate flows from different devices?
Does it matter?
Would you recommend separating the flows?


Thanks,

Jeff
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop



_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop



_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to