Everything is just running on my local machine, yes. All I'm trying to do is to understand why my network-adapter is receiving all that data. It looks like there's a fairly constant stream of about 3Kbits...
But thanks for the info, I'll do some more simple checks and notify my admins. M. On Thu, Jan 29, 2009 at 3:27 PM, Walt Henley <[email protected]> wrote: > This trace may not be telling you the whole story. Did you put the > Wireshark machine on a SPAN port or just run it locally connected at your > PC? If you ran it locally connected, then all you are seeing is your > traffic and any broadcasts that come along. Also, how are you collecting > NTOP data? Using NetFlow or Sflow or just with a local connection. Could > be that it is seeing the heartbeats and deciding they are not identifyable > IP traffic. Try running netflow on your ethernet switches (assuming they > are Cisco)> > > On Thu, Jan 29, 2009 at 8:59 AM, Martin Larsson <[email protected]> > wrote: >> >> Thanks. WireShark was interesting, and overwhelming. >> It seems there's a lot of "MS NLB Heartbeat" each containing 1510 bytes. >> Could that be it? >> I've attached a sample screenshot. >> >> On Thu, Jan 29, 2009 at 2:16 PM, Burton Strauss III >> <[email protected]> wrote: >> > It means ntop is seeing a lot of traffic that isn't recognizable as >> > tcp/ip. >> > >> > Depending on your connection and what you are monitoring (network >> > topology) >> > this could be normal (i.e. traffic wrapped in something) or it could be >> > odd. >> > >> > I usually recommend installing WireShark and letting it analyze a few >> > dozen >> > packets (they both use libpcap so they look at traffic the same way). >> > If >> > WireShark calls it differently than ntop, you probably have exposed some >> > bug. If they both call it non-ip, then explain your topology and we can >> > guide you. If you aren't sure, grab & post a screen shot of a page of >> > random traffic from WireShark, post it and we can read what you have >> > from >> > there... >> > >> > -----Burton >> > >> > >> > >> > >> > >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] On Behalf Of >> > Martin Larsson >> > Sent: Thursday, January 29, 2009 3:54 AM >> > To: [email protected] >> > Subject: [Ntop] Non IP Traffic >> > >> > I installed ntop because the system monitor told me my network was >> > fairly >> > active >> > even though I wasn't actively sending or receiving anything. >> > After about 1.5 hours of running, the traffic summary is showing me a >> > lot of >> > non-IP traffic. >> > >> > Total 26.4 MBytes [47,672 Pkts] >> > IP Traffic 9.3 MBytes [26,718 Pkts] >> > Fragmented IP Traffic 0 [0.0%] >> > Non IP Traffic 17.1 MBytes >> > >> > What does that mean? >> > >> > M. >> > _______________________________________________ >> > Ntop mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> > _______________________________________________ >> > Ntop mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
