No, but it does mean that - unlike a small or home network - you can't simply put an unfiltered ntop up and expect it to pick out what you want out of the vast stream of data that passes bye.
You do need to look at the options, such as --track-local-hosts and the -B filter and grab only what's meaningful. What's meaningful? We can't answer that - it's going to depend on what you need to see to meet your needs. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Hill Sent: Tuesday, May 24, 2005 1:25 PM To: [email protected] Subject: RE: [Ntop] lost collected data after reboot Does this mean in the un-predictable world of the ISP, where you don't know what the source addresses are going to be we shouldn't use NTOP for traffic analysis ? I am now only looking at local hosts which still gives me valuable information, but no details of where my traffic is going. This config will mean a DDOS attack wont kill the box. Gaz -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burton Strauss Sent: 24 May 2005 12:39 To: [email protected] Subject: RE: [Ntop] lost collected data after reboot Nope you have not misunderstood. Really read the entries in docs/FAQ - you'll soon figure out that while each individual HostTraffic entry is small, if there are enough of them you'll swamp real memory. The OS is happy to let you page virtual memory, but remember: ntop's processing includes top-n and periodic throughput calculations, which require visiting every HostTraffic entry. While you might think it doesn't take long to swap in a page of memory, consider what happens when you need to swap in GBs... So while it's theoretically feasible, routinely depending upon swap space is suicidal. You should implement filtering and use ntop's options so that you live within your available memory. And of course, ntop should be the only 'user' process running on the box. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Hill Sent: Monday, May 23, 2005 1:07 PM To: [email protected] Subject: RE: [Ntop] lost collected data after reboot All, Regarding NTOP collection via memory. Does this mean that under certain network conditions like a DDOS (Something we've seen) most NTOP servers are going to lock up as the memory usage we be crippled. That's if the DDOS attack is sending lots of small packets with different source addresses ? Could NTOP not do some of this to disk to avoid such problems. Its a lot easier to put a big disk in a server than 50GB ram. Apologies if I've misunderstood something, I'm pretty new to NTOP. Gaz -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burton Strauss Sent: 23 May 2005 16:41 To: [email protected] Subject: RE: [Ntop] lost collected data after reboot The cvs version has a page which will create a graph of an arbitrary rrd version (this will be in ntop 3.2). Or you can always use rrdtools. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smirnov, Sergey Sent: Monday, May 23, 2005 10:18 AM To: [email protected] Subject: Re: [Ntop] lost collected data after reboot -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I read http://www.ntop.org/faq.txt and don't know where is current FAQ. Ok. I found that ntop can store data in RRD. But how can I load it to use in ntop. Burton Strauss wrote: > READ the current FAQ, not some old version... > > TOP 10 - the questions everyone asks... > > Q1(a). Can I store data in a SQL database? > Q1(b). When ntop stops I lose all my data. Why? > Q1(c). Why doesn't the -S option work? > > A. ntop used to optionally store some data in a SQL database. The > code was > broken, difficult to maintain, etc. and was removed. A LONG TIME AGO. > If you are reading about this in 'some' documentation - update. > > Current ntop is 3.1, which is the only version we support. > > There are scripts that various users have offered to take the data dump > and insert it into a SQL database. Search the back traffic on the > mailing > list for them. > > Yes, ntop uses memory based structures to hold usage data and they > are lost > when you reset or restart ntop. > > Persistent storage is in the RRD databases - there's a paper @ > SourceForge > that explains them. > > There was another option for some persistence - it was -S - look > down about > 5K lines in this FAQ for an article about it, "What was the -S option?". > > > -----Burton > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Smirnov, Sergey > Sent: Monday, May 23, 2005 8:40 AM > To: [email protected] > Subject: Re: [Ntop] lost collected data after reboot > > ... > Q. I start ntop with "-S 2" in order to store traffic > statistics. Unfortunately when I restart ntop the > stats are gone. What's wrong? > A. "-S" enables ntop to store on the disk host traffic statistics. > ... > > Unfortunately ntop has not -S options > > Burton Strauss wrote: > >>You don't lose data... It's safely in the rrds. Oh, you mean you >>haven't read the FAQ??? >> >>-----Burton >> >>-----Original Message----- >>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf >>Of Smirnov, Sergey >>Sent: Monday, May 23, 2005 6:44 AM >>To: [email protected] >>Subject: [Ntop] lost collected data after reboot >> >>What should I do to prevent lost collected data after server reboot? >>-- >>Sergey Smirnov >>UNIX System Administrator of System Department Transas Group >>_______________________________________________ >>Ntop mailing list >>[email protected] >>http://listgateway.unipi.it/mailman/listinfo/ntop >> >>_______________________________________________ >>Ntop mailing list >>[email protected] >>http://listgateway.unipi.it/mailman/listinfo/ntop > > > -- > Sergey Smirnov > UNIX System Administrator of System Department Transas Group > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop - -- Sergey Smirnov UNIX System Administrator of System Department Transas Group -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCkfQ/mVlVgFWQYrkRAj9SAKCBNZ7B9PAx0eSmBHzujLIA+kicTQCdFIDI rvCaRfJadXVTQwnvgsSXfbI= =gk11 -----END PGP SIGNATURE----- _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
