I was thinking with myself about the load of my ntop computer in that time.. maybe it started to drop some packets because it was too much and the computer is a 1 ghz processor 512 mb ram... I will try to simulate a storm to find some conclusions!!
Thanks a lot Gary and all! Jeronimo Gary Gatten escreveu: > nTop is only as accurate as libpcap. If it (or your NIC) is dropping > packets, nTop can't count them. Maybe setup your nTop box on a mirror port > somewhere (or give it an ip directly) and blast a bunch of traffic at it and > see if it can keep up. 11K pps isn't much these days, but libpcap must be > working well. I've seen it drop anything over 4K pps on a system with a Gb > NIC. Newer code and recompile fixed that. > > G > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerônimo > Bezerra > Sent: Tuesday, April 15, 2008 1:58 PM > To: [email protected] > Subject: Re: [Ntop] NTOP against Broadcast Storms > > Hi Gary, > > Follow: > > Gary Gatten wrote: > >> Well, you don't need a mirror to see broadcasts from the same VLAN. >> >> > It's not a mirror ! > >> If you want to see broadcasts on any/all vlans, obviously you'll need some >> visibility into each of those. I'm not sure about the tagging issue. I've >> seen cases where setting the "native" VLAN does actually work due to bugs. >> If you're confident it's working (the untagged port) and you're seeing "all" >> broadcast traffic from VLAN14 - then I'm not sure what's up. >> >> > It's working well, the unique trouble until now it's about that > situation where my Ntop didn't report the right counts. > >> Another solution that may work - but requires SNMP. You can poll the MIB >> value for broadcast traffic and monitor the rate. If it goes about "x" you >> can generate an email or whatever - depending on what app you use. Since >> it's broadcast traffic you can poll any port on that VLAN. >> >> > Yes, I use that too, with Cacti and Zabbix, but I would like to use the > web views of ntop! :) > >> Also, does your device support any broadcast suppression / storm control? >> Most vendors support some sort of rate limiting for broadcast traffic, and >> can also alert you (SNMP, HTML, etc.) if that threshold is violated. >> >> I work almost exclusively with Cisco, but some HP, Nortel, 3Com. The lower >> end stuff I don't touch much. >> >> > Here I work with Cisco, D-Link and 3Com. I use broadcast suppression > too, but with D-Link the lowest value is 1 K pps, and I would like to > use NTOP to see values higher than 300 pps. There isn't way to replace > dlink by cisco or 3com in this moment, and i'm not worried about it > right now, I just interested in understand why ntop show me 300 pps and > not 10 K pps :) > >> Also, any type of intelligent sniffer (Sniffer, Network Observer, etc.) can >> also detect broadcast storms. For any/all tools, you need to be certain the >> NIC in said tool has an accurate view of the network you want to monitor or >> nothing will work right. >> > > >> Gary >> >> > My real intention now is study about broadcast/multicast storms and how > to detect in real time in a unmanaged switchs environment. NTOP is > helping me, but happened this situation where the values are different > from reality and I would like to understand why and if can I do anything > to avoid this kind of situations! > > Thanks again Gary. > > Jeronimo > >> >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerônimo >> Bezerra >> Sent: Monday, April 14, 2008 3:12 PM >> To: [email protected] >> Subject: Re: [Ntop] NTOP against Broadcast Storms >> >> Hi Gary, >> >> my scenario is: >> >> LAN <--Fiber uplink VLAN 14 -> Core <- VLAN 14 untagged my ntop | >> >> I'm in one untagged port of Core (D-Link 6500) in the same vlan. It's >> not a mirror, just in vlan 14 without any IP address. >> >> As I said in my last email, i'm not worried about what's the source of >> storm, but how to use ntop to detect before users :) >> >> Thanks >> >> Jeronimo >> >> Gary Gatten escreveu: >> >> >>> Malware on the system? Bad NIC hardware? Many things are possible >>> including bridging loop. Depending on your switch architecture there are >>> usually things you can implement on the distribution and core layers to >>> mitigate the impact of these issues. If you have Cisco stuff I could help, >>> if something else I can't help much. >>> >>> Depending where your nTop box is placed (logically) and how it's actually >>> seeing the traffic impacts what it can report on; Ie: mirrored uplinks? >>> Mirrored access ports? Mirrored VLANs? Shared hub? >>> >>> Also, what version of STP are you running? PVST+, RSTP, MST? >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of José Queiroz >>> Sent: Monday, April 14, 2008 12:56 PM >>> To: [email protected] >>> Subject: Re: [Ntop] NTOP against Broadcast Storms >>> >>> Hi Jerônimo, >>> >>> There is no reason a computer could send 11K packets of ARP, except >>> there is a switching loop there. >>> >>> Say, do you use in your network those small and cheap switches, said, >>> DLink DES-1008, Encore ENL-901NWay, etc.? >>> >>> When these devices are installed directly on user's rooms, it's easy >>> that the users change the way the cables are mounted, and create >>> switching loops. I passed this problem myself... >>> >>> PS/Off-topic: Sou do Rio de Janeiro, se quiser posso te ajudar a >>> identificar o ponto onde está acontecendo esse loop. >>> >>> 2008/4/14, Jerônimo Bezerra <[EMAIL PROTECTED]>: >>> >>> >>> >>>> Hello All, >>>> >>>> i'm sorry for comma, my intention was tell 11 000 pps :) Follow my >>>> scenario: >>>> >>>> 80 VLANs and each of then with 100 until 600 computers; >>>> my ntop's NIC is tagged to 3 vlans ( 14, 145, 137 ); >>>> some unmanaged switchs, some hubs, e some managed switchs on each vlan; >>>> >>>> In one vlan ( 145 ) one computer was sending 11 000 pps of ARP >>>> broadcast, and my ntop was telling me just 300 pps. That's my question: >>>> why 300 pps? >>>> My core router was 99% of CPU. >>>> >>>> Jeronimo >>>> >>>> Graeme Fowler escreveu: >>>> >>>> >>>> >>>> >>>>> On Mon, 2008-04-14 at 11:06 -0500, Gary Gatten wrote: >>>>> >>>>> >>>>> >>>> > >>>> >> 11 or 100 pps is nothing - not even close to anything to worry about. >>>> A 10Mb Ethernet "network" does over 19K pps. Most broadcast storm control >>>> features default to several thousand pps, so really - 11 or a 100 is a >>>> tiny fraction of a percent or available bandwidth. >>>> >> >>>> > >>>> > I think Jeronimo's email ost a bit in translation - it was 11kpps, >>>> > phrased as "11.000 pps". Not every written language uses a comma as a >>>> > decimal separator for positive powers of ten :) >>>> > >>>> > >>>> >> Switching Loops don't cause broadcast storms. If there is a loop it >>>> won't be found looking for excessive broadcasts. >>>> >> >>>> > >>>> > Loops in ethernet networks cause all manner of lunacy, because they >>>> > amplify anything that isn't unicast. After some time (depending on >>>> > hardware), they amplify unicast too as the L2 devices involved age out >>>> > or conflict out their MAC tables; once most switches see MAC addresses >>>> > on several ports they can get a little confused! >>>> > >>>> > Jeronimo - you gave no indication of your network topology, and only a >>>> > vague description of what happened so it's tricky to tell you why you >>>> > didn't see the problem with ntop. >>>> > >>>> > Graeme >>>> > >>>> > _______________________________________________ >>>> > Ntop mailing list >>>> > [email protected] >>>> > http://listgateway.unipi.it/mailman/listinfo/ntop >>>> > >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> [email protected] >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> >>> <font size="1"> >>> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in >>> 0in 1.0pt 0in'> >>> </div> >>> "This email is intended to be reviewed by only the intended recipient >>> and may contain information that is privileged and/or confidential. >>> If you are not the intended recipient, you are hereby notified that >>> any review, use, dissemination, disclosure or copying of this email >>> and its attachments, if any, is strictly prohibited. If you have >>> received this email in error, please immediately notify the sender by >>> return email and delete this email from your system." >>> </font> >>> >>> _______________________________________________ >>> Ntop mailing list >>> [email protected] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> >> >> >> >> <font size="1"> >> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in >> 0in 1.0pt 0in'> >> </div> >> "This email is intended to be reviewed by only the intended recipient >> and may contain information that is privileged and/or confidential. >> If you are not the intended recipient, you are hereby notified that >> any review, use, dissemination, disclosure or copying of this email >> and its attachments, if any, is strictly prohibited. If you have >> received this email in error, please immediately notify the sender by >> return email and delete this email from your system." >> </font> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in > 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
