Hi Gary, I'm sure I have something misconfigured or I am misinterpreting the output, but I go to the Summary Menu and choose "Network Load". The graph I was referring to and was in the attached pictures on the original message come from the "Last 10 Minutes throughput" graph: http://x.x.x.x/thptStats.html
..And yes, cricket is doing the math to convert the bytes to bits on the graphs I'm using for comparison. I have tried this with both Firefox and IE. I don't think it's a refresh issue, because if I stop the flows coming into the ntop box, the graphs go to 0 pretty quickly and start to graph traffic again as soon as I turn the flows back on. Not sure what I'm missing here but, thanks! --Greg -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Wednesday, February 27, 2008 3:42 PM To: [email protected] Subject: Re: [Ntop] total traffic understanding - chart andtable Discrepancies I've done extensive testing with netflow and nTop throughput and have found it to be pretty accurate "most" of the time. Better stated, there's only been a few instances where the numbers were WAY off and I think it had/has something to do with the refresh rate of the browser. The SNMP MIB actually tracks "Octets" (roughly bytes) tx and rx. If Cricket is displaying things in bps, it's doing the math internally. When you say the nTop "Network Throughput Graph" - what's the link/URL you're using? I want to make sure we're talking about the same thing and then I'll try to help. The rrd history is ... "whacked" - but the realtime stats (per host and global network) have been accurate for me using netflow. G -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Redder,Greg Sent: Wednesday, February 27, 2008 4:19 PM To: [email protected] Subject: Re: [Ntop] total traffic understanding - chart andtable Discrepancies Gary, Fernando, NTOP folks, I've been noticing some similar discrepancies in the network throughput tables that are either a misunderstanding on my part or inaccuracy on the ntop part. It's important to note that my ntop boxes run on flow data and not sniffing the actual port. I'm running ntop 3.2 on Fedora Core 6 boxes. I have another snmp tool (Cricket) that polls our router's physical interface every 1 minute and graphs the input and output bits/sec and I have experience that shows this tool is highly accurate. Last week, I noticed that one of the networks was at 90+Mbits/sec for over an hour. However, the ntop throughput graph for that same network list quite a different number. The network throughput graph in ntop listed a current throughput of 41.2M and an average of 46.6M. I've attached the graphs as reference. If the 41.2M means megabytes and there is a line for every 30 seconds on the 10 Minute graph, that means 41.2Megabytes went through in 30 seconds which equals 11Mbits/sec. Now, if the 41.2 is Megabits/sec, that's wrong too when I have a host pumping 90Mbits one way into the link. My load should be 90Mbits/sec plus whatever else is going in/out the link. Maybe this is a problem with me using flowdata, but I have other ntop probes that sit "in-line" on the links they analyze and they are not accurate either. Maybe I'm just not interpreting the graphs properly and maybe there's something I can do to help figure this out??? Thank you --Greg Redder Network Analyst Colorado State University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Wednesday, February 27, 2008 2:42 PM To: [email protected] Subject: Re: [Ntop] total traffic understanding - chart and table Discrepancies I am now noticing a very similar instance to yours in "Global Protocol Distribution". I have 88.7% TCP, 3.1% UDP 0% ICMP. These percentages are accurate given the values: Total IP is 9.6GB; TCP is 8.5GB; UDP is 303.3MB, ICMP is 1.3MB. So, there's about 800MB worth of "other" data that's not accounted for which would also equal the missing 8%. -----Original Message----- From: Gary Gatten Sent: Wednesday, February 27, 2008 3:14 PM To: '[email protected]' Subject: RE: [Ntop] total traffic understanding - chart and table Discrepancies Unfortunately I can't answer your specific question. I'd say rounding error, but your values are too far apart for that. I have some similar type issues as well. For example, the rrd data available with historical views isn't even close to the real-time and more accurate data. Also, some of the counters within rrd contradict themselves. My Summary Traffic says I have 99.9% unicast in the table, but the pie chart color tells me I have 99.9% MULTICAST. There are a number of other anomalies that I can't recall right now. I haven't spent as much time in the nTop GUI lately. I wish I could remember all the issues more accurately. I guess if it starts bothering me I'll setup a QA instance where I generate known volumes of traffic to predetermined hosts and make sure it's accounted for correctly. Until then I'm not sure what to do... Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fernando Yamada Sent: Wednesday, February 27, 2008 8:13 AM To: [email protected] Subject: [Ntop] total traffic understanding Hello, I'm having difficulties trying to understand total traffic sums on ntop. For example, in "Global protocol distribution" I have a total of 2.4 GB (99.9%) of IP traffic. Inside this IP traffic I have 2.1 GB (87.8%) of TCP, 80.7 MB (3.3%) and ICMP/IGMP/Other IP, accouting 0% each. Why doesn't the sum match? 87.8% + 3.3% does not equal to 99.9% Also, on traffic directions -> Remote to Local IP, the Total Traffic does not match any other total. I've search in the documentation about these issues with no success. If anyone can explain to me or indicate me something to read about, I'd appreciate. Thanks in advance and regards, -- Fernando Yamada Via IP Soluções para Internet Ltda +55 48 2106-6161 e-mail: [EMAIL PROTECTED] MSN: [EMAIL PROTECTED] Skype: suporte2viaip _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
