Just to be clear - you're monitoring (2) T1's so MAX possible throughput would be ~ 6Mb/s? Your machine and nTop / libpcap should not have any issues at these rates.
I'm not familiar with the "reports" you mention - is that new in 3.3 or am I missing something? I typically use All Protocols > Throughput and select the hosts and data flows therein. I usually sort by Local hosts, received only, and current throughput. Anyway... I'll do some thinking and see if I can come up with any useful ideas. G -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Gage Sent: Thursday, October 04, 2007 9:37 AM To: [email protected] Subject: [Ntop] Problem: NTOP missing data - and lots of it Greetings: I just installed a fresh copy of NTOP for a customer. While it has been entirely helpful in tracking down some excessive bandwidth users in the office, we are a bit concerned that some data appears to be missing from the reports. Specifically, we are not seeing any large downloads at all. For example, my contact - while NTOP was running - went and downloaded the Windows 2003 Service Pack 2 installer (over 100 meg). This download was not displayed anywhere on the NTOP report. I would certainly think that a 100 meg download would stick out like a sore thumb on at least the IP reports. If it means anything, I am seeing a HUGE disparity between the total received and total processed counts on the summary->traffic page. Huge as in over 120000 difference - and NTOP has only been running about 2 hours today. Total dropped packets - 504 (from libpcap). Machine is a single P4 2.4 Ghz with 768 meg of ram. According to uptime, the system load is under 0.01. According to vmstat, no swapping is occurring and free memory is about 400 meg. NTOP version is 3.3.3 as pulled from SVN yesterday (3-Oct-2007). NTOP was built with a simple ./configure. NTOP is sitting on a monitor port watching the traffic going to the customers internet router (cisco 2600 with 2 DS1's). Switch is a 3com 3300. NTOP is being started with the following command line: /usr/local/bin/ntop -u ntop -w2401 -4 -c -d -o -D domain.local -r 30 --no-fc --local-subnets 10.1.0.0/16=office,10.2.0.0/16=ferndale,10.3.0.0/16=rpm Yeah, I know - tcp/2401 is CVS, trust me - this needs to be here... Does anyone have any suggestions on how to get NTOP to not miss so much data? Ron Gage Westland, MI _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
