If you enable RMON it will update a MIB object for the TopN ports.  I
forget the exact OID, but can find it if you want.  In theory you could
use MRTG (or other SNMP tool) to poll that mib object and display the
TopN Table.  However, it will not tell you what protocols or
destinations these people are talking to, only that they are the highest
bandwidth users.  I like to know who is doing what, with whom, and with
what protocols.  nTop is pretty good at this IF it can see the traffic
streams.  My advice is to enable netflow on your aggregation points:
Core routers, WAN routers, Server Farm uplinks, etc. and send them all
to nTop.  Or, you can SPAN the ports these devices/ports are connected
to and use nTop to monitor that way.  Letting nTop "capture" all the
data by using SPAN will require quite a system or systems depending on
your traffic load.  netFlow requires far fewer resources on the nTop
system and will provide the details you're looking for.

Gary


>>> [EMAIL PROTECTED] 4/25/2006 1:40 PM >>>
Thanks to everyone for all the advice given.

Basically we've recently turned SNMP on our routers and been
monitoring
this with a eval version of SolarWinds Orian (which we think is great
but very expensive, if anyone can recommend another product - maybe
one
that does SNMP monitoring and top talkers, I would be grateful!)
Anyway
SNMP is telling us that at certain times of the day our routers at
certain sites and varying times are running really high. Now what we
would like to do is be able to see who is generating this traffic.

This is really were we are coming from by testing Ntop. We don't
really
look after the routers so we can't simply get on there and make
changes
or view stats so we need a third party product.

>From what everyone is saying, I don't think requesting having NetFlow
turned in is a good idea for us.

One thing we thought could work (and I'd appreciate any thoughts on
this) is maybe purchase an "Ethernet tap" such as:

http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=4

&Section=products&menuitem=1

and then plug our router, switch and Ntop server into this.

Do you think that doing this would give us an indication of who was
using our WAN traffic?

Thanks again for all the help so far

Andrew
www.purenetworking.net 
 
 

-----Original Message-----
From: Gary Gatten [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 25, 2006 4:36 PM
To: [EMAIL PROTECTED]; [email protected] 
Subject: Re: [Ntop] Were to placing Ntop on the network

Trying to do what you want in a fully switched environment is not as
easy as you might think.  If you have common aggregation points, such
as
uplinks to server farms, WAN routers, etc. you can start there and
catch
most everything "important",  but you still won't see "all" traffic an
end node might be involved in - such as PtP with another end node on
the
LAN.

Netflow / xflow / IPFix / whatever might work OK if your equipment
supports it.  Not all classes of cisco switches do.  Trying to
SPAN/RSPAN EVERY port would be problematic at best.  You can also try
implementing RMON and using the feature therein, such as Topn.  Yet
another option would be configuring RMON alerts and events on each
port
based on throughput and/or doing SNMP collections on each port using
Openview, MRTG, or any of the other ten thousand SNMP utils out there.

I personally use a combination of most everything I mentioned.  Each
approach accomplishes a slightly different goal - it seems to work OK.

Guess it all depends on exactly what you want to accomplish.  Define
your goals and implement the best solution(s).

Gary


>>> [EMAIL PROTECTED] 4/25/2006 5:09:46 AM >>>
Hello


We are running a fully switched Cisco network and want to be able to 
see who are the top talkers both on our site and on remote sites.

Now I've just set Ntop up had it running for a few hours. Its looks to

be gathering info. We don't have NetFlow or anything like that 
configured on our routers. So Ntop is really just running in its 
default config.

Would I be right in think that:

a) Ntop is only reporting traffic that is on the LAN segment, it can't

tell what is going on at a remote site

b) The traffic is sees is only stuff that come though its network 
interface. So its not really giving me a true reflection of how busy 
the LAN is?


_______________________________________________
Ntop mailing list
[email protected] 
http://listgateway.unipi.it/mailman/listinfo/ntop 



_______________________________________________
Ntop mailing list
[email protected] 
http://listgateway.unipi.it/mailman/listinfo/ntop


_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to