Since a span port is transmit only, there is no way it can "clog the switch." The pc might get bogged down, but the switch won't know or care.
-mel via cell On Jan 30, 2009, at 5:57 AM, "Walt Henley" <[email protected]<mailto:[email protected]>> wrote: That's all he will see unless he gets the NetFlow plugin operating on a switch or router in his network. Or, he could have his PC connected to a SPAN port (not recommended, could clog the switch). 3kb/s of traffic is not going to kill his WS. Pretty typical. I have a site I'm working on currently with 30kB/s of broadcast noise. Not much in 100 mb/s links. On Thu, Jan 29, 2009 at 10:49 PM, Burton Strauss III <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: Well, what you are seeing is a varied collection of broadcast traffic... ARP - address resolution protocol - is how you find an address on the LOCAL segment. NBNS - NetBIOS, a local (non-routable) protocol MS NLB - Microsoft Network Load Balancing protocol Etc. -----Burton -----Original Message----- From: <mailto:[email protected]> [email protected]<mailto:[email protected]> [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>] On Behalf Of Martin Larsson Sent: Thursday, January 29, 2009 6:47 AM To: <mailto:[email protected]> [email protected]<mailto:[email protected]> Subject: Re: [Ntop] Non IP Traffic Everything is just running on my local machine, yes. All I'm trying to do is to understand why my network-adapter is receiving all that data. It looks like there's a fairly constant stream of about 3Kbits... But thanks for the info, I'll do some more simple checks and notify my admins. M. On Thu, Jan 29, 2009 at 3:27 PM, Walt Henley <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: > This trace may not be telling you the whole story. Did you put the > Wireshark machine on a SPAN port or just run it locally connected at your > PC? If you ran it locally connected, then all you are seeing is your > traffic and any broadcasts that come along. Also, how are you collecting > NTOP data? Using NetFlow or Sflow or just with a local connection. Could > be that it is seeing the heartbeats and deciding they are not identifyable > IP traffic. Try running netflow on your ethernet switches (assuming they > are Cisco)> > > On Thu, Jan 29, 2009 at 8:59 AM, Martin Larsson > <<mailto:[email protected]>[email protected]<mailto:[email protected]>> > wrote: >> >> Thanks. WireShark was interesting, and overwhelming. >> It seems there's a lot of "MS NLB Heartbeat" each containing 1510 bytes. >> Could that be it? >> I've attached a sample screenshot. >> >> On Thu, Jan 29, 2009 at 2:16 PM, Burton Strauss III >> <<mailto:[email protected]>[email protected]<mailto:[email protected]>> >> wrote: >> > It means ntop is seeing a lot of traffic that isn't recognizable as >> > tcp/ip. >> > >> > Depending on your connection and what you are monitoring (network >> > topology) >> > this could be normal (i.e. traffic wrapped in something) or it could be >> > odd. >> > >> > I usually recommend installing WireShark and letting it analyze a few >> > dozen >> > packets (they both use libpcap so they look at traffic the same way). >> > If >> > WireShark calls it differently than ntop, you probably have exposed some >> > bug. If they both call it non-ip, then explain your topology and we can >> > guide you. If you aren't sure, grab & post a screen shot of a page of >> > random traffic from WireShark, post it and we can read what you have >> > from >> > there... >> > >> > -----Burton >> > >> > >> > >> > >> > >> > -----Original Message----- >> > From: <mailto:[email protected]> >> > [email protected]<mailto:[email protected]> >> > [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>] >> > On Behalf Of >> > Martin Larsson >> > Sent: Thursday, January 29, 2009 3:54 AM >> > To: <mailto:[email protected]> [email protected]<mailto:[email protected]> >> > Subject: [Ntop] Non IP Traffic >> > >> > I installed ntop because the system monitor told me my network was >> > fairly >> > active >> > even though I wasn't actively sending or receiving anything. >> > After about 1.5 hours of running, the traffic summary is showing me a >> > lot of >> > non-IP traffic. >> > >> > Total 26.4 MBytes [47,672 Pkts] >> > IP Traffic 9.3 MBytes [26,718 Pkts] >> > Fragmented IP Traffic 0 [0.0%] >> > Non IP Traffic 17.1 MBytes >> > >> > What does that mean? >> > >> > M. >> > _______________________________________________ >> > Ntop mailing list >> > <mailto:[email protected]> [email protected]<mailto:[email protected]> >> > <http://listgateway.unipi.it/mailman/listinfo/ntop> >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> > _______________________________________________ >> > Ntop mailing list >> > <mailto:[email protected]> [email protected]<mailto:[email protected]> >> > <http://listgateway.unipi.it/mailman/listinfo/ntop> >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> >> _______________________________________________ >> Ntop mailing list >> <mailto:[email protected]> [email protected]<mailto:[email protected]> >> <http://listgateway.unipi.it/mailman/listinfo/ntop> >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > > _______________________________________________ > Ntop mailing list > <mailto:[email protected]> [email protected]<mailto:[email protected]> > <http://listgateway.unipi.it/mailman/listinfo/ntop> > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list <mailto:[email protected]>[email protected]<mailto:[email protected]> <http://listgateway.unipi.it/mailman/listinfo/ntop>http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list <mailto:[email protected]>[email protected]<mailto:[email protected]> <http://listgateway.unipi.it/mailman/listinfo/ntop>http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
