I made the change, recompilied etc. Now the output is: key|hostResolvedName|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|bytesMulticastS ent|pktMulticastSent|bytesMulticastRcvd|pktMulticastRcvd|bytesSent|bytesRcvd |ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|udpByte sSent|udpBytesRcvd|icmpSent|icmpRcvd| x.x.x.x|x.x.x.x|2883923492468686851|2883923492468686849|2883923492468690928| 2883923492468687287|2883923492468686848|2883923492468686848|2883923492468686 848|2883923492468686848|2883923492468690928|2883923492468687287|288392349246 8690928|2883923492468687287|2883923492468686848|2883923492468686848|28839234 92468690928|2883923492468687287|2883923492468686848|2883923492468686848|2883 923492468686848|2883923492468686848|
I've run it several times, the results are the same for all hosts. Any other ideas? Thanks, Shawn -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss Sent: Wednesday, March 29, 2006 10:19 AM To: [email protected] Subject: RE: [Ntop] Amount of traffic displayed in data column comparedtoexport from ntopdump Probably truncation ... In emitter.c, change this: static void wrtLlongItm(FILE *fDescr, int lang, char* indent, char* name, TrafficCounter value, char last, int numEntriesSent) { char buf[80]; safe_snprintf(__FILE__, __LINE__, buf, sizeof(buf), "%lu", (long unsigned int)value.value); wrtStrItm(fDescr, lang, indent, name, buf, last, numEntriesSent); } To static void wrtLlongItm(FILE *fDescr, int lang, char* indent, char* name, TrafficCounter value, char last, int numEntriesSent) { char buf[80]; safe_snprintf(__FILE__, __LINE__, buf, sizeof(buf), "%llu", (long unsigned int)value.value); wrtStrItm(fDescr, lang, indent, name, buf, last, numEntriesSent); } (%lu to %llu) and let us know. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Wall Sent: Wednesday, March 29, 2006 9:57 AM To: [EMAIL PROTECTED] Subject: [Ntop] Amount of traffic displayed in data column compared toexport from ntopdump Hi list, OK, I've searched the archives, read the FAQ and consulted the contrib docs and I haven't been able to find anything specific to this topic. If it is there, I have missed it and I apologize in advance. Anyway, here's my setup: Ntop v3.2 from FreeBSD ports FreeBSD 6.0-Release Libcap 0.9.4 Startup cmd: ntop -w 0 -W 3000 -doncgm x.x.0.0/16 --skip-version-check -u ntop Using netflow plugin, receiving v5 from Cisco 2621 Network topology |----Net 1 x.x.x.0/24----| <--2924----2621----PIX---->www |----Net 2 x.x.x.0/24----| | | NTOP Both net1 and net2 have the same 1st and 2nd octet. Everything works, ntop collects flows, reports usage, etc. Happy there. Now I'm starting to use cron jobs to dump data from ntop using wget. E.g. /usr/local/bin/wget -O /usr/local/etc/ntopdump/ntopdumptbl --no-check-certificate "https://admin:[EMAIL PROTECTED]:3000/dumpData.html?language=txt&view=short". Here's where I'm running into trouble. I'll use a specific host to illustrate my problem. The output from the wget cmd above produces a file containing all the specific data ntop has collected in short form: key|hostResolvedName|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|bytesMultic key|hostResolvedName|pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|astS ent|pktMulticastSent|bytesMulticastRcvd|pktMulticastRcvd|bytesSent|bytes ent|pktMulticastSent|bytesMulticastRcvd|pktMulticastRcvd|bytesSent|Rcvd |ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|udp |ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|Byt |ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpBytesSent|tcpBytesRcvd|e sSent|udpBytesRcvd|icmpSent|icmpRcvd| x.x.x.x|x.x.x.x|32312562|33865785|3198778699|1752536103|0|0|0|0|3198778699|1 752536103|3198778699|1752536103|0|0|2471215495|966711354|727117640|77877 752536103|3198778699|1752536103|0|0|2471215495|966711354|727117640|9448 |445564|7045301| As I understand it, if I were to add the ipBytesSent and ipBytesRcvd that should give me the total amount of data this host has sent and/or received. Let's try: ipBytesSent+ipBytesRcvd = 3198778699 + 1752536103 = 4951314802 ipBytesSent+/1073741824 (convert to GB) = 4.611271249 GB In the browser, ntop reports 26.7 GB in the data column for this host, which is an accurate reflection of the amount of traffic accumulated in all the columns listed. The two totals are not even close. Now I'll add in all the traffic counters and see if that gives me the same total as the ntop browser: ipBytesSent+ipBytesRcvd+bytesMulticastSent+bytesMulticastRcvd+tcpBytesSent+t cpBytesRcvd+udpBytesSent+updBytesRcvd+icmpSent+icmpRcvd (omitted cpBytesRcvd+udpBytesSent+updBytesRcvd+icmpSent+bytesSent, bytesRvcd and the sent set of ipBytesSent, ipBytesRcvd since the values are identical to the first ipBytesSent and ipBytesRcvd) 3198778699 + 1752536103 + 2471215495 + 966711354 + 727117640 + 778779448 + 445564 + 7045301 = 9902629604 /1073741824 = 9.222542498 GB That's still not close at all. Now let's try using the long form of a dump. key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|ma key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|xT key|index|hostNumIpAddress|hostResolvedName|firstSeen|lastSeen|minTTL|TL |pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|pktDuplicatedAckSent|pktDuplica |pktSent|pktRcvd|ipBytesSent|ipBytesRcvd|pktDuplicatedAckSent|tedA ckRcvd|pktBroadcastSent|bytesMulticastSent|pktMulticastSent|bytesMultica ckRcvd|pktBroadcastSent|bytesMulticastSent|pktMulticastSent|stRc vd|pktMulticastRcvd|bytesSent|bytesSentLoc|bytesSentRem|bytesRcvd|bytesR vd|pktMulticastRcvd|bytesSent|bytesSentLoc|bytesSentRem|bytesRcvd|cvdL oc|bytesRcvdFromRem|actualRcvdThpt|lastHourRcvdThpt|averageRcvdThpt|peak oc|bytesRcvdFromRem|actualRcvdThpt|lastHourRcvdThpt|averageRcvdThpt|Rcvd Thpt|actualSentThpt|lastHourSentThpt|averageSentThpt|peakSentThpt|actual Thpt|actualSentThpt|lastHourSentThpt|averageSentThpt|peakSentThpt|TThp t|averageTThpt|peakTThpt|actualRcvdPktThpt|averageRcvdPktThpt|peakRcvdPk t|averageTThpt|peakTThpt|actualRcvdPktThpt|averageRcvdPktThpt|tThp t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|av t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|er t|actualSentPktThpt|averageSentPktThpt|peakSentPktThpt|actualTPktThpt|ag eTPktThpt|peakTPktThpt|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|tcpByte eTPktThpt|peakTPktThpt|ipBytesSent|ipBytesRcvd|ipv6Sent|ipv6Rcvd|sSen t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|ud t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|pS t|tcpBytesRcvd|udpBytesSent|udpBytesRcvd|icmpSent|icmpRcvd|tcpSentRem|en tLoc|udpSentRem|tcpRcvdLoc|tcpRcvdFromRem|udpRcvdLoc|udpRcvdFromRem|tcpF tLoc|udpSentRem|tcpRcvdLoc|tcpRcvdFromRem|udpRcvdLoc|udpRcvdFromRem|ragm entsSent|tcpFragmentsRcvd|udpFragmentsSent|udpFragmentsRcvd|icmpFragment entsSent|tcpFragmentsRcvd|udpFragmentsSent|udpFragmentsRcvd|sSen t|icmpFragmentsRcvd|key|key|sentLoc|sentRem|rcvdLoc|rcvdFromRem|ethAddre t|icmpFragmentsRcvd|key|key|sentLoc|sentRem|rcvdLoc|rcvdFromRem|ssSt ring| Same as before, this time I'm including every value that shows up in the dump for the same host: 139.142.196.166|0|139.142.196.166|139.142.196.166|731748329|1143578455|0|0|3 2312373|33865636|3198770541|1752511588|68|5|32306679|0|0|0|0|3198770541|5700 53|3198200488|1752511588|788977|1751722611|9.07|4366.93|26843.82|2879347 53|3198200488|1752511588|788977|1751722611|.25| 9.05|2969.93|16714.95|2818646.00|18.12|43558.77|3465301.00|0.15|48.02|2993.7 5|0.18|45.82|3002.22|0.33|93.83|5995.97|3198770541|1752511588|0|0|247120 5|9960 |966691967|727115017|778774320|445564|7045301|2470950737|193398|726921619|59 806|966632161|729171|778045149|0|0|0|0|0|0|IP|FTP|0|591132|0|242518|HTTP|520 7|74858203|31804|1052500249|DNS|190942|230948|726668|896911|Telnet|0|13559|0 |17754|Mail|0|13464|0|19802|DHCP-BOOTP|0|588|0|819|SNMP|0|1223|0|232|NNTP|0| 15330|0|39091|NFS_AFS|0|1356|0|1803|VoIP|0|83680|0|83339|X11|0|390597|0| 15330|0|39091|3843 986|SSH|0|6114|0|5329|Gnutella|0|198342311|0|144756579|Kazaa|0|2614|0|2593|W inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|26 inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|68 inMX|0|28130|0|47069|eDonkey|0|2591421389|0|2816039360|BitTorrent|180|93 4660|259|3418157189|Messenger|0|53914106|0|77345222|securityPkts|0|0|4|1|1|0 |0|0|0|0|20|12|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0|0 |0|| I won't spell it out, but the total in GB = 21.45643944 GB. So what am I missing? How come I don't get the same totals as ntop reports in the browser? I've also attached this email as a doc, since it will get mangled. Shawn Wall _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.3.3/296 - Release Date: 3/29/2006 _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
