|
Hi Burton, First thanks for replying, but I did
forget to tell you that there are no discarded flows. In the Netflow stats all
counters are 0. Number of Flows with Zero Packet Count 0 Number of Flows with Zero Byte Count 0 Number of Flows with Zero Bad Data 0 Number of Flows with Zero Unknown Template
0 Mike. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss First, try checking the stats in the
netFlow plugin to see why flows are being dropped. It's most likely port
0 flows (non tcp/ip) stuff... ----- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Goor, M. van, (ITBE) Hello, I have a cisco 6509 which is configures to do netflow. This
stream gets to a machine where flow-tools captures it. This has been checked
and at this point the flow is complete. Then I use flow-tools to export it (via
flow-fanout) to my ntop box. (yes, after the testing is done, the box capturing
will get installed with nProbe, this cannot be done now, because both mirror
ports on the switch are used). So far so good, on the ntop machine (which is a dual P4 xeon
HTT, linux sees 4 procs and 5GB ram installed) I tested with flow-tools to
check if the stream got over correct. This happened. The capture on the capture
machine was identicall to the capture on the ntop machine. After this I had
high hopes for ntop, thus I installed cvs. Cranked it up and set the netflow
module to capture the stream. So far everything works great, but ntop misses
about 40% of the stream. Now since flow-tools got the stream okay and was able
to dump it to the hard drive without using any cpu time or a big deal of
memory, I thought ntop should be working great aswell. Obviously I was wrong. The cpu isn’t spiking above
100% utilization and memory is available enough for ntop to be used. This leads
me to my question, wat could I try to improve the flows that ntop receives. I
would very much like to get a 0% drop or if it is inevitable no more than 0.1%.
Any advise would be greatly appreciated. I’ll give you an idea how many
flows I get per second: Average flows / second (flow) : 588.9946 Average flows / second (real) : 726.2820 This is done with flow-stat on the dumped data flow-capture
gives. Would PF_RING improve ntop performance, or is it a buffer in
ntop I need to expand. Or does ntop still use libpcap to get the stream, in
which case PF_RING could help a great deal. Thanks in advance, Mike van Goor. |
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
