This trace may not be telling you the whole story. Did you put the Wireshark machine on a SPAN port or just run it locally connected at your PC? If you ran it locally connected, then all you are seeing is your traffic and any broadcasts that come along. Also, how are you collecting NTOP data? Using NetFlow or Sflow or just with a local connection. Could be that it is seeing the heartbeats and deciding they are not identifyable IP traffic. Try running netflow on your ethernet switches (assuming they are Cisco)>
On Thu, Jan 29, 2009 at 8:59 AM, Martin Larsson <[email protected]>wrote: > Thanks. WireShark was interesting, and overwhelming. > It seems there's a lot of "MS NLB Heartbeat" each containing 1510 bytes. > Could that be it? > I've attached a sample screenshot. > > On Thu, Jan 29, 2009 at 2:16 PM, Burton Strauss III > <[email protected]> wrote: > > It means ntop is seeing a lot of traffic that isn't recognizable as > tcp/ip. > > > > Depending on your connection and what you are monitoring (network > topology) > > this could be normal (i.e. traffic wrapped in something) or it could be > odd. > > > > I usually recommend installing WireShark and letting it analyze a few > dozen > > packets (they both use libpcap so they look at traffic the same way). If > > WireShark calls it differently than ntop, you probably have exposed some > > bug. If they both call it non-ip, then explain your topology and we can > > guide you. If you aren't sure, grab & post a screen shot of a page of > > random traffic from WireShark, post it and we can read what you have from > > there... > > > > -----Burton > > > > > > > > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] On Behalf Of > > Martin Larsson > > Sent: Thursday, January 29, 2009 3:54 AM > > To: [email protected] > > Subject: [Ntop] Non IP Traffic > > > > I installed ntop because the system monitor told me my network was fairly > > active > > even though I wasn't actively sending or receiving anything. > > After about 1.5 hours of running, the traffic summary is showing me a lot > of > > non-IP traffic. > > > > Total 26.4 MBytes [47,672 Pkts] > > IP Traffic 9.3 MBytes [26,718 Pkts] > > Fragmented IP Traffic 0 [0.0%] > > Non IP Traffic 17.1 MBytes > > > > What does that mean? > > > > M. > > _______________________________________________ > > Ntop mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > > Ntop mailing list > > [email protected] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
