Hi list, OK, I've searched the archives, read the FAQ and consulted the contrib docs and I haven't been able to find anything specific to this topic. If it is there, I have missed it and I apologize in advance.
Anyway, here's my setup:
Ntop v3.2 from FreeBSD ports
FreeBSD 6.0-Release
Libcap 0.9.4
Startup cmd: ntop -w 0 -W 3000 -doncgm x.x.0.0/16 --skip-version-check -u
ntop
Using netflow plugin, receiving v5 from Cisco 2621
Network topology
|----Net 1 x.x.x.0/24----|
<--2924----2621----PIX---->www
|----Net 2 x.x.x.0/24----| |
|
NTOP
Both net1 and net2 have the same 1st and 2nd octet.
Everything works, ntop collects flows, reports usage, etc. Happy there. Now
I'm starting to use cron jobs to dump data from ntop using wget. E.g.
/usr/local/bin/wget -O /usr/local/etc/ntopdump/ntopdumptbl
--no-check-certificate
"https://admin:[EMAIL PROTECTED]:3000/dumpData.html?language=txt&view=short".
Here's where I'm running into trouble. I'll use a specific host to
illustrate my problem.
The output from the wget cmd above produces a file containing all the
specific data ntop has collected in short form:
key|hostResolvedName|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|bytesMulticastS
ent|pktMulticastSent|bytesMulticastRcvd|pktMulticastRcvd|bytesSent|bytesRcvd
|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|udpByte
sSent|udpBytesRcvd|icmpSent|icmpRcvd|
x.x.x.x|x.x.x.x|32312562|33865785|3198778699|1752536103|0|0|0|0|3198778699|1
752536103|3198778699|1752536103|0|0|2471215495|966711354|727117640|778779448
|445564|7045301|
As I understand it, if I were to add the ipBytesSent and ipBytesRcvd that
should give me the total amount of data this host has sent and/or received.
Let's try:
ipBytesSent+ipBytesRcvd = 3198778699 + 1752536103 = 4951314802 /1073741824
(convert to GB) = 4.611271249 GB
In the browser, ntop reports 26.7 GB in the data column for this host, which
is an accurate reflection of the amount of traffic accumulated in all the
columns listed. The two totals are not even close.
Now I'll add in all the traffic counters and see if that gives me the same
total as the ntop browser:
ipBytesSent+ipBytesRcvd+bytesMulticastSent+bytesMulticastRcvd+tcpBytesSent+t
cpBytesRcvd+udpBytesSent+updBytesRcvd+icmpSent+icmpRcvd (omitted bytesSent,
bytesRvcd and the sent set of ipBytesSent, ipBytesRcvd since the values are
identical to the first ipBytesSent and ipBytesRcvd)
3198778699 + 1752536103 + 2471215495 + 966711354 + 727117640 + 778779448 +
445564 + 7045301 = 9902629604 /1073741824 = 9.222542498 GB
That's still not close at all. Now let's try using the long form of a dump.
key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|maxTTL
|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|pktDuplicatedAckSent|pktDuplicatedA
ckRcvd|pktBroadcastSent|bytesMulticastSent|pktMulticastSent|bytesMulticastRc
vd|pktMulticastRcvd|bytesSent|bytesSentLoc|bytesSentRem|bytesRcvd|bytesRcvdL
oc|bytesRcvdFromRem|actualRcvdThpt|lastHourRcvdThpt|averageRcvdThpt|peakRcvd
Thpt|actualSentThpt|lastHourSentThpt|averageSentThpt|peakSentThpt|actualTThp
t|averageTThpt|peakTThpt|actualRcvdPktThpt|averageRcvdPktThpt|peakRcvdPktThp
t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|averag
eTPktThpt|peakTPktThpt|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSen
t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|udpSen
tLoc|udpSentRem|tcpRcvdLoc|tcpRcvdFromRem|udpRcvdLoc|udpRcvdFromRem|tcpFragm
entsSent|tcpFragmentsRcvd|udpFragmentsSent|udpFragmentsRcvd|icmpFragmentsSen
t|icmpFragmentsRcvd|key|key|sentLoc|sentRem|rcvdLoc|rcvdFromRem|ethAddressSt
ring|
Same as before, this time I'm including every value that shows up in the
dump for the same host:
139.142.196.166|0|139.142.196.166|139.142.196.166|731748329|1143578455|0|0|3
2312373|33865636|3198770541|1752511588|68|5|32306679|0|0|0|0|3198770541|5700
53|3198200488|1752511588|788977|1751722611|9.07|4366.93|26843.82|2879347.25|
9.05|2969.93|16714.95|2818646.00|18.12|43558.77|3465301.00|0.15|48.02|2993.7
5|0.18|45.82|3002.22|0.33|93.83|5995.97|3198770541|1752511588|0|0|2471209960
|966691967|727115017|778774320|445564|7045301|2470950737|193398|726921619|59
806|966632161|729171|778045149|0|0|0|0|0|0|IP|FTP|0|591132|0|242518|HTTP|520
7|74858203|31804|1052500249|DNS|190942|230948|726668|896911|Telnet|0|13559|0
|17754|Mail|0|13464|0|19802|DHCP-BOOTP|0|588|0|819|SNMP|0|1223|0|232|NNTP|0|
15330|0|39091|NFS_AFS|0|1356|0|1803|VoIP|0|83680|0|83339|X11|0|390597|0|3843
986|SSH|0|6114|0|5329|Gnutella|0|198342311|0|144756579|Kazaa|0|2614|0|2593|W
inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|266893
4660|259|3418157189|Messenger|0|53914106|0|77345222|securityPkts|0|0|4|1|1|0
|0|0|0|0|20|12|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0||
I won't spell it out, but the total in GB = 21.45643944 GB.
So what am I missing? How come I don't get the same totals as ntop reports
in the browser?
I've also attached this email as a doc, since it will get mangled.
Shawn Wall
Hi list.doc
Description: MS-Word document
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
