Re: [Ntop] IPv6 flow

[Simone Mainardi]

Joni,

The template has ipv6 source and destination addresses but none of the flows 
sent as data records has a non-zero value for either the source or the 
destination IPv6 address. They are all valid IPv4 flows.

You can verify that on your own with the following wireshark filter against 
your pcap. It will give you empty results:



You should check that.

Simone

> On 12 Feb 2018, at 16:25, Joni Lee  wrote:
> 
> Sent just now.
> 
> -- 
> Sincerely,
> Joni Lee
> Office: +886(4)2311-7977
> Mobile: +886-970-576-524
> HostingInside LTD. / 鷹式特網有限公司 / AS134522
> ___
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

___
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: [Ntop] Combining subnet statistics

[Simone Mainardi]

Peter,

> On 12 Feb 2018, at 22:06, Peter Shute  wrote:
> 
> Thanks for that. I've also discovered I can separate out the netflow data 
> coming from each office's router using dynamic network interfaces. I followed 
> the instructions provided at https://github.com/ntop/ntopng/issues/1444 to 
> enable Probe IP disaggregation criterion, and to add %EXPORTER_IPV4_ADDRESS 
> to the template.  I assume this does the same thing as host pooling, assuming 
> one wants to pool every subnet on each router?

Correct

> I have this running now, so I can't try creating host pools unless I undo 
> those changes.
> 
> One thing I've noticed with dynamic interfaces is that if I select one, then 
> click on the chart icon, the traffic peaks seem way too  high. Eg 85Mbps when 
> we only have a 14Mbps link.

Peaks you are seeing are very likely due to the quantized nature of flows. Your 
netflow exporters do periodic exports of active flows -- say every 2 minutes -- 
so the ntopng/nProbe pair is not able to know what happened during the 2 
minutes, it just receives the exported flow at the end of the period. This 
translates into a potentially high volume of traffic in a very short period 
that determines the peak. However, total values over time must be consistent.


> If I click on Hosts/Networks, and select one of the local subnets, it seems 
> ok. Is there something wrong with that combined chart?

Interfaces charts are populated with a data point every second. Hosts/networks 
every 5 minutes and thus peaks get smoothed because total data is averaged over 
a much wider time range.

> 
> Is it possible to name the dynamic network interfaces so I don't have to keep 
> a list of all the routers' ip addresses?

Yes, rename it as if it was a normal interface.

Simone

> 
>> -Original Message-
>> From: ntop-boun...@listgateway.unipi.it [mailto:ntop-
>> boun...@listgateway.unipi.it] On Behalf Of Simone Mainardi
>> Sent: Tuesday, 13 February 2018 1:29 AM
>> To: n...@unipi.it
>> Subject: Re: [Ntop] Combining subnet statistics
>> 
>> Yes, you can do that.
>> 
>> You should create an host pool for any branch you are interested monitoring.
>> An host pool can be defined as a set of subnets so this will do the trick. 
>> Once
>> you've created the pools, visit the ntopng preferences and enable the
>> timeseries creation for them.
>> 
>> Simone
>> 
>>> On 12 Feb 2018, at 00:08, Peter Shute  wrote:
>>> 
>>> We have several subnets in each of our branch offices that can use our
>> WAN. I have listed each of these in ntopng.conf:
>>> --local-networks=
>> "192.168.0.0/23,192.168.2.0/24,192.168.3.0/24,192.168.6.0/24,192.168.7.0/24,
>> 192.168.30.0/24,192.168.60.0/24,192.168.32.0/24,192.168.62.0/24,192.168.33.
>> 0/24,192.168.3.0/24,192.168.37.0/24,192.168.67.0/24"
>>> 
>>> I can view charts for each subnet individually, but I would like to see the
>> total for each branch office. E.g 192.168.2.0/24 + 192.168.32.0/24 +
>> 192.168.62.0/24.
>>> 
>>> Is there a way to do this? Because of the subnet ranges they've used (last
>> digit of second last number indicates branch office), I can't just define a
>> subnet range to cover them.
>>> 
>>> Peter Shute
>>> ___
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>> 
>> ___
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
> ___
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

___
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

[Ntop] Restart after changing ntopng preferences?

[Peter Shute]

Do I need to restart ntopng after I change preferences via the GUI? Seems like 
I do?

If so, I need some help with the restarting procedure. I'm typing sudo 
/etc/init.d/ntopng restart, but it says "command not found". This used to work. 
What's necessary to be in place for it to work, and what could have happened to 
make it stop working?

In the meantime, I'm rebooting the machine to implement changes.

Peter Shute

___
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

Re: [Ntop] Combining subnet statistics

[Peter Shute]

Simone Mainardi wrote:

> > I have this running now, so I can't try creating host pools unless I undo
> those changes.
> >
> > One thing I've noticed with dynamic interfaces is that if I select one, then
> click on the chart icon, the traffic peaks seem way too  high. Eg 85Mbps when
> we only have a 14Mbps link.
> 
> Peaks you are seeing are very likely due to the quantized nature of flows.
> Your netflow exporters do periodic exports of active flows -- say every 2
> minutes -- so the ntopng/nProbe pair is not able to know what happened
> during the 2 minutes, it just receives the exported flow at the end of the
> period. This translates into a potentially high volume of traffic in a very 
> short
> period that determines the peak. However, total values over time must be
> consistent.

That makes sense. I wonder if it would be helpful to add a note about that on 
the charts so that people understand their limitations.

Does this mean I can still use those charts to look for periods of high usage, 
but should take the vertical scale with a grain of salt?

Peter Shute
___
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop