You will see IPs and MACs, so yeah, you should be able to distinguish amongst machines as long as you don't have NAT or something going on.
Another solution would be to mirror the uplink interfaces from the non-sflow switch. Definitely look here for info about sFlow: http://sflow.org/about/index.php It'll show you what you do get from sFlow (an awful lot, as it turns out) and pay special attention to the sampling stuff. You can at the list back traffic for more discussion, but the basics are as follows: 1) sFlow is designed around sampling and most implementations do so at less than 1:1 by default. 2) Ntop doesn't really handle the sampling at this point. Well - it does - it will report what sampling rate sFlow is telling it that it is using. But what it doesn't do is the multiplication. So if sFlow is sampling, say, 1 in every 4 packets Ntop will only report approx. (see link for sampling theory stuff) 1/4 of the total actual traffic traversing the link. At one point Luca was looking at adding functionality like this, but I'm not sure where he left it. You'll see from the sampling theory that simply multiplying by the sampling rate will usually work over the long term but is not necessarily accurate when you're looking for small traffic flows. Regards, Chris _________________________________________ Chris Moore Senior Network Engineer Guardian Mortgage Documents 303-942-2019 emergency (GMD Help Desk): 303-942-2002 [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss Sent: Wednesday, May 17, 2006 7:07 AM To: [email protected] Subject: RE: [Ntop] SFlow and chain linked switches Well, experience in general w/ sFlow seems pretty thin all over :-) If the ProCurve sees the packets, it should report on them via sFlow to ntop. You won't have a complete picture of the sub networks, only the subset of traffic that the ProCurve sees. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Victor Rodriguez Cortes Sent: Wednesday, May 17, 2006 6:30 AM To: [email protected] Subject: RE: [Ntop] SFlow and chain linked switches Hello, > This really isn't an ntop question ... It belongs with the switch > vendor. Because it's dependent on their implementation of sFlow and > (more importantly) on what 'chain-linked' is and how it's implemented. Sorry for the OT, I just thought that someone here may have experience with this kind of setup. > Within the realm of standard Ethernet and tcp/ip, the 'procurve' > switch in your diagram will never see packets local to either of the > 'non-sFlow' switches, so it wouldn't be able to report ANYTHING about > them. That's correct: if the traffic remains within any "non-sFlow" switches I won't see anything. But if the traffic is like this: Computer1 --> non s-Flow switch -> Procurve Switch -> gateway Computer2 --> Would I be able to distinguishing from which computer the traffic comes from using sFlow at the Procurve switch? Thanks a lot, Victor. > -----Burton > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Victor Rodriguez Cortes Sent: Tuesday, May 16, 2006 10:21 AM To: > [EMAIL PROTECTED] Subject: [Ntop] SFlow and chain linked > switches > > Hello, > > I'm new to the list and maybe someone has some experience with this > and could give me some advice. I sent this questions to the Misc list, > but I didn't received any reply yet. I hope that someone here may help > me. > > I would like to know what kind of information would SFlow give me > from a chain- linked switch that does NOT support SFlow. The network > would be something like this (sorry, I'm too bad drawing with > letters!): > > > Gateway > | > Procurve 2800 > | | > Non-sflow switchA Non-slow switchB > | | > Network devices Network devices > > > For some systems (printers, voip phones, some departments...) I do > not need the performance of one Procurve's Gb port, so I would use > those ports for other systems and use a different switch to give > network access to less performance-hungry devices. It's basically a > matter of cost per port, trying to avoid buying 2 or more ProCurve and > reuse some basic switches that I have right now. > > - Would I see real information for traffic that comes from / goes to > systems connected to the Non-sflow switches? Obviously all traffic > would be detected on the Procurve port that has switchA and switchB > connected to, but I suppose that I should get the IP address of each > system and be able of identify each one through it (as is there was > just one system with many IP addresses). > > - Would I be able of getting real traffic stats from those systems? > > - Would all this work if the switches are connected with a 2Gb trunk? > > Many thanks in advance, > Victor. > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. ********************************************************************** _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
