Not true ... ntop 3.1 supports multiple netFlow devices.
 
Each pseudo-device can be configured to receive on a separate port (that's the only meaningful configuration).  Each configured port is treated as a separate 'device'.  ntop receives the flows and accumulates counts in separate 'devices' and, just like any other situation, you select one at a time for reporting.  The trick is in the configuration...
 
If the router(s) support it, you simply direct the flows (perhaps both ports to the same destination to work around the ingress question) to separate destination ports on the ntop host.   If the routers won't support alternate destination port numbers, you need to get sneaky - use flow-tools (http://www.splintered.net/sw/flow-tools/) on yet another box.
 
Is it efficient? Probably not...
 
-----Burton


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore
Sent: Tuesday, February 15, 2005 9:26 AM
To: [email protected]
Subject: RE: [Ntop] NetFlow Multiple Routers Multiple Interfaces

In short, Ntop won't do what you want to do in question 1.
 
At present, Ntop won't break the info out according to interface the NetFLow info was collected on. I have had some discussions with Luca about providing this functionality for sFlow but I don't know if he has done any work on this.or not. If it could be configured, you could send NetFlows from each interface to a different destination port, but I don't think Cisco provides this functionality. Nor do I know if NetFlow provides interface info along with the flows. One additional complication is that, at least on Cisco devices, NetFlow only collects stats on ingress packets. e.g. on a 2 interface router Netflow must be configured for both interfaces to see both sides of the conversations. So in your example below, each virtual device would only be seeing one side of the conversations.
 
In response to your second question, you set the virtual address to one on the network you wish to be "local". I don't know how you might want to set this on your system. One approach is to run more than one Ntop for your Netflow destinations, so you have a bit more configuration control on what is considered local and what is considered remote.
 
BTW, InMon Traffic Server does exactly what you want, but warns that some Netflow implementations do not provide interface info along with the flows. In any case, IIRC monitoring your two routers with Traffic Server would run you something like $30k!
 
Chris

_____________________________________________
Chris Moore
Senior Network Engineer
Guardian Mortgage Documents

303-942-2019
[EMAIL PROTECTED]

 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Hoffswell
Sent: Tuesday, February 15, 2005 7:03 AM
To: [email protected]
Subject: [Ntop] NetFlow Multiple Routers Multiple Interfaces

Good day to you -
 
I'm a ntop newbie, but am not seeing documention or list conversations that clairify this well.
 
I have two WAN routers with multiple serial interfaces, terminating wan links to serveral sites.
 
I have ntop 3.1 running with the NetFlow plugin working.  I have two Netflow devices created, each sending the flows to ntop on a separate port (2055 and 2056).
 
I have my routers configured to create flows on some of the serial interfaces.
 
All looks pretty good.
 
Question 1: How do I view traffic on a per-interface basis?  My configuration seems to put all flows for a router into the one Netflow device instance in ntop.  
 
Instead of:
 
NetFlow-router.1 = NetFlow-device.1
NetFlow-router.2 = NetFlow-device.2
 
I would like to see, I think:
 
NetFlow-router1-serial.1 = NetFlow-device.1
NetFlow-router1-serial.2 = NetFlow-device.2
NetFlow-router1-serial.3 = NetFlow-device.3
NetFlow-router2-serial.1 = NetFlow-device.4
NetFlow-router2-serial.2 = NetFlow-device.5
NetFlow-router2-serial.3 = NetFlow-device.6
Question 2:  What should I set my Virtual NetFlow Interface Network Address to?
This may be the answer to question one.  The serial interfaces are just tiny ip networks to define the wan link.  They don't really define "local traffic"
Here's a single remote site example:
Serial link, wan router:  10.200.1.45/30
Ether link to lan router: 10.12.2.1/24
Lan 1 10.12.12.1/23
Lan 2 10.12.12.1/23
Lan 3 10.12.50.1/24
Lan 4 10.12.51.1/24
etc.
These networks are 1 (wan) or 2 (lan) hops away from the netflow core wan router.  In this case, how would I define "local traffic" on the core wan router netflow setup in ntop?
Thanks!
 
 
 
Pardon my limited understanding of both ntop and NetFlow.  I have a feeling I'm barking up the wrong tree on this.  Can someone help me out?
 
Thanks!
 
 


Pete Hoffswell 616-732-1101 (Grand Rapids, x1101)
University LAN/WAN Coordinator 616-510-1198 (Mobile)
IT Services [EMAIL PROTECTED]
Davenport University http://www.davenport.edu

-=-=- LAN/WAN services: http://networker.davenport.edu -=-=-




**********************************************************************
Confidential/Proprietary Note

The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you.
Guardian Mortgage Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to