Probable silly question... Would it make sense to have a bpf expression in the startup script/settings to ignore data to/from the offending host?
I believe that would incur the smallest overhead. On Fri, Jun 19, 2009 at 11:51, Gary Gatten<ggat...@waddell.com> wrote: > While troubleshooting my crashes during/after IDLE_PURGE processes, I found > a host (CA eTrust) that scans our entire internal network range (all > possible host IPs) looking for new ones – a discovery process. Don’t ask > why it doesn’t use multicast for this – seems no one realizes multicast > exists and how to use it. > > > > Anyway, this “discovery” causes nTop to “see” almost 50,000 hosts – at which > time it crashes. I’m not 100%, but this process runs every 2 – 4 hours > depending on TOD, and sure enough – ntop shows a huge spike in host counts > and shortly thereafter the host count is zero – cause ntop is DEAD! > > > > So – I threw in a blacklist in netflow confs for this host “host not > w.x.y.z”. Seems to be working, however, now the netflow thread is running 2 > – 3 times CPU it did before I added the blacklist entry. Is there really > that much overhead in the white/black lists – or am I crazy? > > > > > > TIA! > > > > Gary > > > > "This email is intended to be reviewed by only the intended recipient and > may contain information that is privileged and/or confidential. If you are > not the intended recipient, you are hereby notified that any review, use, > dissemination, disclosure or copying of this email and its attachments, if > any, is strictly prohibited. If you have received this email in error, > please immediately notify the sender by return email and delete this email > from your system." > _______________________________________________ > Ntop mailing list > Ntop@unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list Ntop@unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
