Sorry, I'm also still running 3.2.1 and although libpcap isn't seeing any traffic I do have it running. I was using it to see any diffs between what netflow and lipcap interfaces report and any features lacking in one over the other.
G -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Thursday, May 24, 2007 9:54 AM To: [email protected] Subject: RE: [Ntop] ntop stops updating when using NetFlow - problemparsingNetFlow v9? I use netflow for pretty much everything, but haven't seen this on BSD. Maybe try using v5 flows - and make sure it's v5 on both ends. I doubt it will do anything, but most people are using v5 so maybe there's an unknown issue with the v9 format. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, May 24, 2007 9:48 AM To: [email protected] Subject: [Ntop] ntop stops updating when using NetFlow - problem parsingNetFlow v9? Greetings, I am using ntop 3.2 on debian (package version 3.2-10) with the NetFlow plugin receiving v9 flows from a Cisco 2800 series router. The NetFlow interface is the only configured interface in ntop; there is no pcap interface. Everything works great, but only for a few hours (The duration between breakage does not seem to be fixed). After the problem occurs, accessing ntop via the web interface works fine, but all statistics are blank and nothing updates. I have verified the router is sending the flows and the ntop machine is receiving the packets using tcpdump. Ntop is still listening on the correct port to receive them according to netstat -l -p. Viewing the NetFlow plugin statistics page reveals statistics that if correct (which they aren't) would be alarming: Flow Senders 192.168.XXX.XXX [1,622 pkts] Number of Packets Received 1,622 Number of Packets with Bad Version 0 Number of Packets Processed 1,622 Number of Valid Flows Received 2,179,991,226 Average Number of Flows per Packet 40058.6 Number of V1 Flows Received 0 Number of V5 Flows Received 0 Number of V7 Flows Received 0 Number of V9 Flows Received 2,179,976,669 Total V9 Templates Received 362 Number of Bad V9 Templates Received 58 Number of V9 Flows with Unknown Templates Received 1,844 Discarded Flows Number of Flows with Zero Packet Count 2,179,963,863 Number of Flows with Zero Byte Count 0 Number of Flows with Bad Data 0 Number of Flows with Unknown Template 1,844 Total Number of Flows Processed 27,362 The counter for number of flows received increases whether or not netflow packets are actually arriving. The counter is incrementing by approximately 10 million per second. The packets processed counter never increments. When valid netflow packets do actually arrive, the packets received counter which would normally increment does not. Restarting ntop brings everything back to normal. I am unsure whether or not I could reliably capture the specific packet which might be causing this problem, but I thought I'd ask the list for advice first. At the very least it seems there is some kind of denial of service potential in the netflow collector's processing. Thanks, John Laur _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ======================================================================== === "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
