Latency is solely based on the handshake - that's the only time we can be reasonably sure that there's no processing occurring on the packet and hence we are actually seeing solely network (+ tcp/ip stack) latency...
First thought - check your local subnet settings (-m) ... We only track sessions for 'nonFullyRemoteSession' (i.e. at least one side is local). -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Friday, March 31, 2006 1:39 PM To: [EMAIL PROTECTED]; [email protected] Subject: RE: [Ntop] -o disables latency stats? Sorry, I should've clarified what interface I was referring to. I'm running netflow and standard pcap. In theory they're both seeing the same .. traffic, so I 'm kinda comparing pros and cons of each method. The latency is interesting to me. I noticed on the netflow interface latency was always blank - I posted another question about that issue. This issue is concerning the "real" interface using pcap. Until I set the -t 5 -K and -o flags, I had latency stats. When I set these flags, no more latency. I guess it could be the K or t 5, but I was assuming it had more to do with the -o - maybe it was looking at interframe time between MACS. But, since you said it's at the TCP layer - then I don't know. What would you need from me to look into this further? Another question you made me think of: is the latency stat fixed and based solely on the handshake times - or is it a dynamic average over the life of the session (or some length, like last 5 mins) of the session? Gary >>> [EMAIL PROTECTED] 3/31/2006 12:24:44 PM >>> Latency is different for netFlow / non-netFlow For non-netFlow, it's based on the timestamps inside the packets, i.e. the SYN and SYN|ACK of the tcp 3-way handshake, from handleTCPSession() in session.c: if(tp->th_flags == TH_SYN) { theSession->nwLatency.tv_sec = h->ts.tv_sec; theSession->nwLatency.tv_usec = h->ts.tv_usec; theSession->sessionState = FLAG_STATE_SYN; } And then the block beginning: /* Latency measurement */ if((tp->th_flags == (TH_SYN|TH_ACK)) && (theSession->sessionState == FLAG_STATE_SYN)) { theSession->sessionState = FLAG_FLAG_STATE_SYN_ACK; } else if((tp->th_flags == TH_ACK) && (theSession->sessionState == FLAG_FLAG_STATE_SYN_ACK)) { if(h->ts.tv_sec >= theSession->nwLatency.tv_sec) { ... } For netFlow, it's just stored - IF it is part of the flow to begin with. There's nothing specific in the netFlow plugin WRT -o (myGlobals.runningPref.dontTrustMACaddr). You could turn on the debug line in netFlowPlugin.c: /* traceEvent(CONST_TRACE_INFO, "DEBUG: Nw Latency=%d.%d [%s:%d -> %s:%d]", record->nw_latency_sec, record->nw_latency_usec, srcHost->hostNumIpAddress, sport, dstHost->hostNumIpAddress, dport); */ (remove the /* and */ so it's no longer a comment) - that would show if it's even seeing the data (vs associating incorrectly. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Thursday, March 30, 2006 4:08 PM To: [email protected] Subject: [Ntop] -o disables latency stats? FreeBSD 6.0, nTop 3.2.1, compiled from CVS - I think.... I'm collecting data through a cisco SPAN port. This port is a mirror of the our primary Frame-Relay WAN router interface. The idea is to see global WAN stats. Without -o I have latency stats, however, "all" the traffic gets associated with the router. Not good. Restarted with -o and I have all the individual hosts I wanted, but now there's no latency stats. Am I missing something, or is this just the way it is? Thanks! Gary _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
