Sorry, I should've clarified what interface I was referring to.
I'm running netflow and standard pcap. In theory they're both seeing
the same .. traffic, so I 'm kinda comparing pros and cons of each
method. The latency is interesting to me. I noticed on the netflow
interface latency was always blank - I posted another question about
that issue.
This issue is concerning the "real" interface using pcap. Until I set
the -t 5 -K and -o flags, I had latency stats. When I set these flags,
no more latency. I guess it could be the K or t 5, but I was assuming
it had more to do with the -o - maybe it was looking at interframe time
between MACS. But, since you said it's at the TCP layer - then I don't
know. What would you need from me to look into this further?
Another question you made me think of: is the latency stat fixed and
based solely on the handshake times - or is it a dynamic average over
the life of the session (or some length, like last 5 mins) of the
session?
Gary
>>> [EMAIL PROTECTED] 3/31/2006 12:24:44 PM >>>
Latency is different for netFlow / non-netFlow
For non-netFlow, it's based on the timestamps inside the packets, i.e.
the
SYN and SYN|ACK of the tcp 3-way handshake, from handleTCPSession() in
session.c:
if(tp->th_flags == TH_SYN) {
theSession->nwLatency.tv_sec = h->ts.tv_sec;
theSession->nwLatency.tv_usec = h->ts.tv_usec;
theSession->sessionState = FLAG_STATE_SYN;
}
And then the block beginning:
/* Latency measurement */
if((tp->th_flags == (TH_SYN|TH_ACK)) && (theSession->sessionState ==
FLAG_STATE_SYN)) {
theSession->sessionState = FLAG_FLAG_STATE_SYN_ACK;
} else if((tp->th_flags == TH_ACK) && (theSession->sessionState ==
FLAG_FLAG_STATE_SYN_ACK)) {
if(h->ts.tv_sec >= theSession->nwLatency.tv_sec) {
...
}
For netFlow, it's just stored - IF it is part of the flow to begin
with.
There's nothing specific in the netFlow plugin WRT -o
(myGlobals.runningPref.dontTrustMACaddr).
You could turn on the debug line in netFlowPlugin.c:
/*
traceEvent(CONST_TRACE_INFO, "DEBUG: Nw Latency=%d.%d [%s:%d
->
%s:%d]",
record->nw_latency_sec, record->nw_latency_usec,
srcHost->hostNumIpAddress, sport,
dstHost->hostNumIpAddress, dport);
*/
(remove the /* and */ so it's no longer a comment) - that would show if
it's
even seeing the data (vs associating incorrectly.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary
Gatten
Sent: Thursday, March 30, 2006 4:08 PM
To: [email protected]
Subject: [Ntop] -o disables latency stats?
FreeBSD 6.0, nTop 3.2.1, compiled from CVS - I think....
I'm collecting data through a cisco SPAN port. This port is a mirror
of the
our primary Frame-Relay WAN router interface. The idea is to see
global WAN
stats.
Without -o I have latency stats, however, "all" the traffic gets
associated
with the router. Not good. Restarted with -o and I have all the
individual
hosts I wanted, but now there's no latency stats.
Am I missing something, or is this just the way it is?
Thanks!
Gary
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
