When I first started using nTop with Cisco netflow I validated various values using the counters on the switch (bps, pps, nbar/IP accounting, etc.) as well as sniffer traces. I generated known traffic flows with IPerf and also tested file transfers using ftp, M$ copy, etc. All the nTop values were close enough for me. I DO have some issues with some graphs showing stuff I can't reconcile - but the numerical data nTop displays is typically good.
So - I'd start by generating known amounts of traffic between known hosts and determine which nTop display represents those flows most accurately. Also, perhaps the untagged type port is causing an issue with nTop? Adding VLAN tagging typically changes the frame formatting and if nTop is reading (and expecting) certain byte offsets in the packet it will definitely freak it out! G ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Wolek Sent: Thursday, November 13, 2008 11:33 PM To: [email protected] Subject: [Ntop] VLAN vs All Hello all, I am still pretty new to Ntop but am getting more familiar. I have read a lot of the docs and some posts but could not find this addressed. My setup is a mirrored port on a "glue" network, that is I am sniffing a port on a layer 3 Dell switch that is untagged on VLAN 150. The only other thing on this VLAN, is the LAN interface of our firewall. The VLAN is only on this one switch, the switch doubles as the core router for the LAN networks. When I view "All Protocols, Throughput", it defaults me to "All". I sort by current bandwidth, and view the list of top users. Then I change the VLAN to 150, and the list completely changes, drastically different throughputs from completely different hosts, all with (150) after their name or IP. I don't understand why this traffic would be different, at least so drastically different. I have verified it's not just timing of usage and refreshes. Someone can be downloading something large, and not appear on All, yet I change to VLAN 150, and they are #1. I don't get it or know which to believe. Thanks! Mark <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
