Greetings, I am using ntop 3.2 on debian (package version 3.2-10) with the NetFlow plugin receiving v9 flows from a Cisco 2800 series router. The NetFlow interface is the only configured interface in ntop; there is no pcap interface. Everything works great, but only for a few hours (The duration between breakage does not seem to be fixed).
After the problem occurs, accessing ntop via the web interface works fine, but all statistics are blank and nothing updates. I have verified the router is sending the flows and the ntop machine is receiving the packets using tcpdump. Ntop is still listening on the correct port to receive them according to netstat -l -p. Viewing the NetFlow plugin statistics page reveals statistics that if correct (which they aren't) would be alarming: Flow Senders 192.168.XXX.XXX [1,622 pkts] Number of Packets Received 1,622 Number of Packets with Bad Version 0 Number of Packets Processed 1,622 Number of Valid Flows Received 2,179,991,226 Average Number of Flows per Packet 40058.6 Number of V1 Flows Received 0 Number of V5 Flows Received 0 Number of V7 Flows Received 0 Number of V9 Flows Received 2,179,976,669 Total V9 Templates Received 362 Number of Bad V9 Templates Received 58 Number of V9 Flows with Unknown Templates Received 1,844 Discarded Flows Number of Flows with Zero Packet Count 2,179,963,863 Number of Flows with Zero Byte Count 0 Number of Flows with Bad Data 0 Number of Flows with Unknown Template 1,844 Total Number of Flows Processed 27,362 The counter for number of flows received increases whether or not netflow packets are actually arriving. The counter is incrementing by approximately 10 million per second. The packets processed counter never increments. When valid netflow packets do actually arrive, the packets received counter which would normally increment does not. Restarting ntop brings everything back to normal. I am unsure whether or not I could reliably capture the specific packet which might be causing this problem, but I thought I'd ask the list for advice first. At the very least it seems there is some kind of denial of service potential in the netflow collector's processing. Thanks, John Laur _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
