Filter, filter, filter... Without filtering, you are going to be creating host records for every stinking IP address any of your internal users tries to contact and for every stinking IP address that tries to contact you. Every port scan, P2P user, cracker, phisher and legit user. There are reports that some P2P systems can decide a well-connected host may have contacts w/ 40K others...
Is it any wonder you can't buy enough memory? Once ntop starts to swap, you are dead. So you need to filter (and/or use options like --track-local-hosts) to limit what you are recording to what you can 'afford'. Read the articles in docs/FAQ and here in the back traffic - we have discussed this before, esp. WRT Miami Dade Schools - look for Benny Horta's messages. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Williams Sent: Wednesday, December 01, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: Re: [Ntop] HTTP Crashes after period of time I'm sorry, I didn't really qualify my question. I'm monitoring a 45mbps link with ntop. At any time it's approximately using 27mbps. I want to monitor it with NTOP. I would like ntop to gather historical data also. My question is, in this scenario, are there are configuration options that may be beneficial or recommendations you can make to ensure ntop doesn't crash or easily run out of resources. Thanks. --- Rob Williams <[EMAIL PROTECTED]> wrote: > What would be the recommended configuration for running non-stop > indefinately. > > ie. configuration and mem > > --- "Kaczmarek, Thaddeus" <[EMAIL PROTECTED]> > wrote: > > > > On Dec 01, 2004 09:37 AM, Rob Williams <[EMAIL PROTECTED]> wrote: > > > > >Hi, > > > > > >I've installed NTOP 3.0-1.1.fc2.dag rpm on a FC2 > > box.. > > >500Mhz CPU, 512Mb Ram, . I know this machine definately isn't > > >state-of-the-art, however this > is > > the > > >type of boxes that I have access to for > monitoring > > >purposes. > > > > > >The install and setup of NTOP was smooth and it reports great data, > > >however after a period of > time, > > I > > >get the following message: > > >"kernel: Out of Memory: Killed process 3621 (ntop)" > > > > > >If I do a ps -ef | grep ntop, i see that ntop is > > still > > >running, however the HTTP process seems to have > > been > > >killed for memory reasons. > > > > > >This seems to happen while I'm surfing the stats > - > > >obvious correlation. > > > > > >Any help provided would be appreciated. I will upgrade to CVS if > > >necessary, however this is a > > remote > > >box and it's not my first choice. > > > > > >Thanks. > > >Rob > > > > What does "free" tell you? > > If you are out of swap that makes perfect sense, > if > > not you may have > > disk IO issues or > > just hit some starving condition. I run tests on a laptop with 3.0 > > gig cpu, 512 megs and 1 gig of swap, 7200 rpm drive on FC3 and don't > > have this issue, loads go way up and I am usning sticky-hosts, but > > don't run for more than 6-8 > hours > > at a time. > > > > Also make sure you are not using sticky-hosts, unless you have > > minimal traffic that will never fly with 512mb. > > > > Ted > > DISCLAIMER > > > > This e-mail, and any attachments thereto, is intended only for use > > by the > > addressee(s) named herein and may contain legally privileged and/or > > confidential information. If you are not the intended recipient of > > this e-mail, you are hereby notified that any dissemination, > > distribution or copying of this e-mail, and any attachments > thereto, > > is strictly prohibited. > > If you have received this e-mail in error, please immediately notify > > me and permanently delete the original and any copy of > any > > e-mail and any printout > > thereof. > > > > E-mail transmission cannot be guaranteed to be secure or error-free. > > The sender therefore does not accept liability for any errors or > > omissions in the contents of this message which arise as a > result > > of e-mail transmission. > > REGARDING PRIVACY AND CONFIDENTIALITY Crown Financial Group may, at > > its discretion, monitor and review the content of all e-mail > > communications. > > > > > > > > > BEGIN:VCARD > > VERSION:2.1 > > N:Kaczmarek;Ted;; > > FN:Ted Kaczmarek > > ORG:Crown Financial Group Inc.; > > NOTE:tkaczmar > > TEL;WORK;VOICE: > > TEL;CELL;VOICE: > > TEL;PAGER;VOICE: > > TEL;WORK;FAX: > > ADR;WORK:;;;;;;Tuxworld > > LABEL;WORK;ENCODING=QUOTED-PRINTABLE:=0D=0A, > > =0D=0AD > > URL;WORK: > > EMAIL;PREF;INTERNET:[EMAIL PROTECTED] > > MAILER:OPEN-XCHANGE > > END:VCARD > > > _______________________________________________ > > Ntop mailing list > > [EMAIL PROTECTED] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
