Hi - Apologies if this is a little long winded.
I've been playing around with NTOP now for a couple of weeks. I'm still seeing performance problems, and I'd like to know if NTOP and my hardware is up to the job or if I should take a different approach.
My network traffic levels (on this particular connection) are between 10 and 40mg of internet traffic
Packet rates range from 2000 to 5000 pps
PF_RING patch has been compiled into the kernel and LIBPCAP, and I'm seeing RING messages in the NTOP log (So it seems to working fine)
I've been running NTOP version 3.0 and 3.1 - 3.0 seems to perform better than 3.1 in terms of lost traffic.
My local hosts are two networks. x.x.x.x / 20 and x.x.x.x / 19 - about 8500 hosts.
NTOP is started with the following options :-
ntop -K -u ntop -g -b -d -w 3000 -r 60 -m x.x.x.x/20,x.x.x.x/19 -i eth0 -o -n -z -B "dst net x.x.x.x/20 or dst net x.x.x.x/19"
I'm only interested in traffic coming into my network, and I dont care about remote hosts or the type of traffic (Can I filter the protocol information out)
With this config NTOP seems pretty stable (Under V3.0) the Network Loads stats from NTOP match the traffic levels of the GigE port that I'm mirroring. V3.1 is not stable and without any addtional functions like RRD produces the same results as below.
What i'd like to do is log data for every host on my network (all 8500) hosts. I am only interested in PPS and Bytes Recv. I've started the RRD plugin and asked it to record data for all hosts.
At this point I'm starting to see problems :-
Libpcap drops are very high. I know I shouldnt click the update button very often as this generated drops, but I am still getting drops as the network load stats do not match the monitoring I'm doing of the switch port. I check the drops every few hours and the drops have been growing. (These drops dont make sense sometimes as they are over 100% even though I know the box hasnt had that many PPS sent to it)
Does anyone know how I can get RRD to just record PPS and bytes, which might save some resource.
Under these condiditions the NTOP process is only using 22 % memory and 1-2% processor
Can anyone suggest how I can improve performance and get a reliable traffic monitor. I'd also like to know how I can monitor dropped packets without making the call LIBPCAP stats which causes these drops. I need to know if I'm getting all the data or not.
If I can solve this problem I'm hoping to use the RRDs to measure bandwidth and PPS thresholds across this part of my network.
Thanks.....
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
