You can't zoom in a graph like that. If the hosts causing the issue are active when you're viewing ntop, you can look at the throughput tables and sort by various methods. When I see my util about x%, I start at throughput and see whow the top tx/tx are and then look at the session info for those hosts and see what they're doing.
If the hosts blast you with a bunch of traffic from 8am - 8:30am and then go away, and you try to determine event specifics at 10am, that's much more difficult. That's when you need rrd with lots of stuff enabled (and I'm still not sure it will traffic session info) or yes, you'd have to dump the raw data somehow and view it later. Ntop can read files as well as real-time packet data. Ntop is good at showing real-time info, but not so much at detailed historical stuff. I can for instance tell you anything you want to know about traffic on my net right now. But, let's say there was a 5TB of data xfer from 1am - 5am this morning by a rogue host? I'm screwed - no "easy" way (or maybe no way at all) to tell "for sure" who was doing what. The protocol graphs are pretty consistent so one could probably see a spike in say... SMTP from 1am-5am, then try to find the hosts with the largest SMTP load and possibly extrapolate some relevant info - again, if the host in question popped in and then disappeared that hosts details will age out and be gone. So you might see your mail server as it will probably never age out, but the remote end - who knows. There are knobs in ntop to control some behavior - such as sticky hosts, so a discovered host never ages out. However, USE A FILTER to limit what ntop sees if you use sticky hosts! Else you'd better have a couple hundred Gig of RAM and a REALLY fast system! I'll re-read your posts in a few and see if I can come up with a better answer for you. In the mean time, check out the rrd knobs, arbitratry graphs, etc. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of James Chase Sent: Thursday, July 30, 2009 1:49 PM To: [email protected] Subject: Re: [Ntop] Identifying Inbound Network Traffic Thanks for your reply. I am looking at the reports within hours of the data spike but am not dumping data to MySQL yet. I guess what I am looking to do is zoom in on the Mail Protocol graph for instance, select a time period and see information similar to what is available in Remote -> Local Traffic Report which has statistics on how much data was sent from particular hosts, or even more useful -- a way to see how much data was sent to what host in particular during the selected time period. I don't see a way to get reports like that and isolate that kind of data from the system even before ntop clears it's idle host data Should I be thinking about running ntop with the -B dst host mail.hostname.com and xxx.xxx.xxx.xxx and dump it to a pcap logfile to inspect with ntop later? Or am I missing something in the ntop reporting tools? Thanks again! On 7/30/2009 12:24 PM, Gary Gatten wrote: > You can if you catch it within 24 hours, or even better if you can catch > it real-time. Once sessions / hosts age out from inactivity the details > are hard to get at. Try to view the nTop reports during the suspect > time window. Else, turn up the logging configs in the rrd plugin (watch > your disk space) and / or get the newer(newest) version of nTop that > supports mySql and dump everything there. > > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > James Chase > Sent: Thursday, July 30, 2009 11:18 AM > To: [email protected] > Subject: [Ntop] Identifying Inbound Network Traffic > > Hi, > > I'm seeing an inbound traffic spike at our hosting facility early every > morning at roughly the same time through our MRTG and Cacti graphs. We > recently installed NTOP to try and pin down the source and destination > as well as port/protocol of the traffic, but I haven't been able to do > this as effectively as I thought. I know through Cacti which host the > traffic is going to, but it has ~10 virtual IP's and due to a limitation > > of the SNMP protocol I can't limit it to which IP exactly. > > But a more general question, is there a good way to get this information > > with NTOP? Taking a certain time period and identifying the association > of a traffic spike; where the data is going to and where it is coming > from, and on which port? I really want to drill down during the time > period in question but the more detailed stats seem more cumulative. > > Should I just be sampling output to a file during the period in > question? Are there other useful plugins for this? > > Thanks for any help, > James > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > --- > [This E-mail scanned for viruses by Declude EVA] > > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
