On Thu, 2005-10-06 at 15:52 -0500, Rader, D. Alan wrote: > I set up the mirror/span to only look at two vlans which have maybe 50 > total PCs in them and it did not make a difference. The NIC ntop is > using is in the same vlan as all our servers. It does just fine > collecting data that way and there is a lot more traffic between all our > servers than there is to the internet. So I don't think it is an issue > of the hardware not being able to handle it. Plus it is a gig link > monitoring a 100mb link to our firewall. >
It's not so much the amount of traffic as the number of hosts involved. By default NTop stores data about each and every IP that passes its way. I can believe that it easily handles a high-bandwidth local LAN with relatively few hosts on it but falls over on a lower bandwidth link with buckets of hosts since RAM constrains the number of hosts it can track and you can't ever let it hit swap or it will die. > I did try using the -m and one subnet and it still hangs. I think my > usage was correct: ntop --no-mac -m 10.1.24.0/24 -w 10.1.12.20:3000 > Under show config it lists just the one subnet. It does not seem to > work though as I still see other subnets. > -m tells NTop what subnets are local, but does not constrain it to only monitor those hosts. It just helps the software know what is local vs remote. Use in conjunction with -g to only track local hosts. If it still falls over add -z. Session tracking is handy, but also a memory hog. -b may also help if you're still having trouble. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Aaron Grewell > Sent: Thursday, October 06, 2005 2:47 PM > To: [email protected] > Subject: RE: [Ntop] Sessions Hanging > > On Thu, 2005-10-06 at 14:18 -0500, Rader, D. Alan wrote: > > After more testing, it looks like whenever I watch a mirror port is > > when this happens. I have tried all the below switches: > > > > --no-mac > > -n > > --numeric-ip-addresses > > --no-promiscuous > > > > None of which made a difference. It doesn't matter if I mirror a > > single vlan, or all traffic it causes sessions to hang. If I just > > watch the traffic in the subnet that em1 is in, everything is fine. > > It doesn't do me any good if I can't watch all traffic coming and > > going to/from the Internet. Any ideas? > > > > Are you sure you have enough hardware? My traffic is mostly in the 10MB > range, with spikes up to 30 or so. On my 2x866MHz Xeon w/2GB RAM I had > to restrict NTop pretty substantially to keep it up at all when watching > our WAN link. Defining --local-subnets and then using > --track-local-hosts to only watch those hosts in depth made the biggest > difference, but it took the whole package in order to reach relative > stability. It still crashes from time to time, but nowhere near as > frequently as before. Here are the performance-related switches I use: > > --local-subnets > --no-mac > --track-local-hosts > --disable-sessions > --no-fc > --disable-decoders > > > HTH, > -Aaron > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > -------------------------------------------- > ATTENTION: > > To ensure compliance with applicable Internal Revenue Service Regulations, > we inform you that any tax advice contained in this electronic message was > not intended or written to be used, and cannot be used, for the purpose of > avoiding penalties under the Internal Revenue Code. > > This message and all attachments are PRIVATE, and may contain > information that is CONFIDENTIAL and PRIVILEGED. > If you received this message in error, please notify the sender by reply > e-mail and delete the message immediately. > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
