Probably truncation ... In emitter.c, change this:
static void wrtLlongItm(FILE *fDescr, int lang, char* indent, char* name,
TrafficCounter value, char last, int numEntriesSent)
{
char buf[80];
safe_snprintf(__FILE__, __LINE__, buf, sizeof(buf), "%lu", (long unsigned
int)value.value);
wrtStrItm(fDescr, lang, indent, name, buf, last, numEntriesSent);
}
To
static void wrtLlongItm(FILE *fDescr, int lang, char* indent, char* name,
TrafficCounter value, char last, int numEntriesSent)
{
char buf[80];
safe_snprintf(__FILE__, __LINE__, buf, sizeof(buf), "%llu", (long
unsigned int)value.value);
wrtStrItm(fDescr, lang, indent, name, buf, last, numEntriesSent);
}
(%lu to %llu) and let us know.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Shawn Wall
Sent: Wednesday, March 29, 2006 9:57 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] Amount of traffic displayed in data column compared toexport
from ntopdump
Hi list,
OK, I've searched the archives, read the FAQ and consulted the contrib docs
and I haven't been able to find anything specific to this topic. If it is
there, I have missed it and I apologize in advance.
Anyway, here's my setup:
Ntop v3.2 from FreeBSD ports
FreeBSD 6.0-Release
Libcap 0.9.4
Startup cmd: ntop -w 0 -W 3000 -doncgm x.x.0.0/16 --skip-version-check -u
ntop Using netflow plugin, receiving v5 from Cisco 2621
Network topology
|----Net 1 x.x.x.0/24----|
<--2924----2621----PIX---->www
|----Net 2 x.x.x.0/24----| |
|
NTOP
Both net1 and net2 have the same 1st and 2nd octet.
Everything works, ntop collects flows, reports usage, etc. Happy there. Now
I'm starting to use cron jobs to dump data from ntop using wget. E.g.
/usr/local/bin/wget -O /usr/local/etc/ntopdump/ntopdumptbl
--no-check-certificate
"https://admin:[EMAIL PROTECTED]:3000/dumpData.html?language=txt&view=short".
Here's where I'm running into trouble. I'll use a specific host to
illustrate my problem.
The output from the wget cmd above produces a file containing all the
specific data ntop has collected in short form:
key|hostResolvedName|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|bytesMultic
key|hostResolvedName|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|astS
ent|pktMulticastSent|bytesMulticastRcvd|pktMulticastRcvd|bytesSent|bytes
ent|pktMulticastSent|bytesMulticastRcvd|pktMulticastRcvd|bytesSent|Rcvd
|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|udp
|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|Byt
|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|e
sSent|udpBytesRcvd|icmpSent|icmpRcvd|
x.x.x.x|x.x.x.x|32312562|33865785|3198778699|1752536103|0|0|0|0|3198778699|1
752536103|3198778699|1752536103|0|0|2471215495|966711354|727117640|77877
752536103|3198778699|1752536103|0|0|2471215495|966711354|727117640|9448
|445564|7045301|
As I understand it, if I were to add the ipBytesSent and ipBytesRcvd that
should give me the total amount of data this host has sent and/or received.
Let's try:
ipBytesSent+ipBytesRcvd = 3198778699 + 1752536103 = 4951314802
ipBytesSent+/1073741824
(convert to GB) = 4.611271249 GB
In the browser, ntop reports 26.7 GB in the data column for this host, which
is an accurate reflection of the amount of traffic accumulated in all the
columns listed. The two totals are not even close.
Now I'll add in all the traffic counters and see if that gives me the same
total as the ntop browser:
ipBytesSent+ipBytesRcvd+bytesMulticastSent+bytesMulticastRcvd+tcpBytesSent+t
cpBytesRcvd+udpBytesSent+updBytesRcvd+icmpSent+icmpRcvd (omitted
cpBytesRcvd+udpBytesSent+updBytesRcvd+icmpSent+bytesSent,
bytesRvcd and the sent set of ipBytesSent, ipBytesRcvd since the values are
identical to the first ipBytesSent and ipBytesRcvd)
3198778699 + 1752536103 + 2471215495 + 966711354 + 727117640 + 778779448 +
445564 + 7045301 = 9902629604 /1073741824 = 9.222542498 GB
That's still not close at all. Now let's try using the long form of a dump.
key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|ma
key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|xT
key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|TL
|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|pktDuplicatedAckSent|pktDuplica
|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|pktDuplicatedAckSent|tedA
ckRcvd|pktBroadcastSent|bytesMulticastSent|pktMulticastSent|bytesMultica
ckRcvd|pktBroadcastSent|bytesMulticastSent|pktMulticastSent|stRc
vd|pktMulticastRcvd|bytesSent|bytesSentLoc|bytesSentRem|bytesRcvd|bytesR
vd|pktMulticastRcvd|bytesSent|bytesSentLoc|bytesSentRem|bytesRcvd|cvdL
oc|bytesRcvdFromRem|actualRcvdThpt|lastHourRcvdThpt|averageRcvdThpt|peak
oc|bytesRcvdFromRem|actualRcvdThpt|lastHourRcvdThpt|averageRcvdThpt|Rcvd
Thpt|actualSentThpt|lastHourSentThpt|averageSentThpt|peakSentThpt|actual
Thpt|actualSentThpt|lastHourSentThpt|averageSentThpt|peakSentThpt|TThp
t|averageTThpt|peakTThpt|actualRcvdPktThpt|averageRcvdPktThpt|peakRcvdPk
t|averageTThpt|peakTThpt|actualRcvdPktThpt|averageRcvdPktThpt|tThp
t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|av
t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|er
t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|ag
eTPktThpt|peakTPktThpt|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpByte
eTPktThpt|peakTPktThpt|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|sSen
t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|ud
t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|pS
t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|en
tLoc|udpSentRem|tcpRcvdLoc|tcpRcvdFromRem|udpRcvdLoc|udpRcvdFromRem|tcpF
tLoc|udpSentRem|tcpRcvdLoc|tcpRcvdFromRem|udpRcvdLoc|udpRcvdFromRem|ragm
entsSent|tcpFragmentsRcvd|udpFragmentsSent|udpFragmentsRcvd|icmpFragment
entsSent|tcpFragmentsRcvd|udpFragmentsSent|udpFragmentsRcvd|sSen
t|icmpFragmentsRcvd|key|key|sentLoc|sentRem|rcvdLoc|rcvdFromRem|ethAddre
t|icmpFragmentsRcvd|key|key|sentLoc|sentRem|rcvdLoc|rcvdFromRem|ssSt
ring|
Same as before, this time I'm including every value that shows up in the
dump for the same host:
139.142.196.166|0|139.142.196.166|139.142.196.166|731748329|1143578455|0|0|3
2312373|33865636|3198770541|1752511588|68|5|32306679|0|0|0|0|3198770541|5700
53|3198200488|1752511588|788977|1751722611|9.07|4366.93|26843.82|2879347
53|3198200488|1752511588|788977|1751722611|.25|
9.05|2969.93|16714.95|2818646.00|18.12|43558.77|3465301.00|0.15|48.02|2993.7
5|0.18|45.82|3002.22|0.33|93.83|5995.97|3198770541|1752511588|0|0|247120
5|9960
|966691967|727115017|778774320|445564|7045301|2470950737|193398|726921619|59
806|966632161|729171|778045149|0|0|0|0|0|0|IP|FTP|0|591132|0|242518|HTTP|520
7|74858203|31804|1052500249|DNS|190942|230948|726668|896911|Telnet|0|13559|0
|17754|Mail|0|13464|0|19802|DHCP-BOOTP|0|588|0|819|SNMP|0|1223|0|232|NNTP|0|
15330|0|39091|NFS_AFS|0|1356|0|1803|VoIP|0|83680|0|83339|X11|0|390597|0|
15330|0|39091|3843
986|SSH|0|6114|0|5329|Gnutella|0|198342311|0|144756579|Kazaa|0|2614|0|2593|W
inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|26
inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|68
inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|93
4660|259|3418157189|Messenger|0|53914106|0|77345222|securityPkts|0|0|4|1|1|0
|0|0|0|0|20|12|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0
|0||
I won't spell it out, but the total in GB = 21.45643944 GB.
So what am I missing? How come I don't get the same totals as ntop reports
in the browser?
I've also attached this email as a doc, since it will get mangled.
Shawn Wall
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
