Ggatten at waddell
Jun 19, 2009, 12:15 PM
Post #3 of 3
(463 views)
Permalink
|
|
Re: Overhead of netflow white/black lists?
[In reply to]
|
|
Wow - there ARE still people on this list! ;)
I tried the BPF on the startup first - it doesn't seem to work with Netflow, which kinda makes sense 'cause I think it's bound to libpcap.
The netflow thread is the one that is 2 - 3 times the load as well.
G
-----Original Message-----
From: ntop-bounces [at] unipi [mailto:ntop-bounces [at] unipi] On Behalf Of Kurt Buff
Sent: Friday, June 19, 2009 2:11 PM
To: ntop [at] unipi
Cc: ntop-dev [at] unipi
Subject: Re: [Ntop] Overhead of netflow white/black lists?
Probable silly question...
Would it make sense to have a bpf expression in the startup
script/settings to ignore data to/from the offending host?
I believe that would incur the smallest overhead.
On Fri, Jun 19, 2009 at 11:51, Gary Gatten<Ggatten [at] waddell> wrote:
> While troubleshooting my crashes during/after IDLE_PURGE processes, I found
> a host (CA eTrust) that scans our entire internal network range (all
> possible host IPs) looking for new ones - a discovery process. Don't ask
> why it doesn't use multicast for this - seems no one realizes multicast
> exists and how to use it.
>
>
>
> Anyway, this "discovery" causes nTop to "see" almost 50,000 hosts - at which
> time it crashes. I'm not 100%, but this process runs every 2 - 4 hours
> depending on TOD, and sure enough - ntop shows a huge spike in host counts
> and shortly thereafter the host count is zero - cause ntop is DEAD!
>
>
>
> So - I threw in a blacklist in netflow confs for this host "host not
> w.x.y.z". Seems to be working, however, now the netflow thread is running 2
> - 3 times CPU it did before I added the blacklist entry. Is there really
> that much overhead in the white/black lists - or am I crazy?
>
>
>
>
>
> TIA!
>
>
>
> Gary
>
>
>
> "This email is intended to be reviewed by only the intended recipient and
> may contain information that is privileged and/or confidential. If you are
> not the intended recipient, you are hereby notified that any review, use,
> dissemination, disclosure or copying of this email and its attachments, if
> any, is strictly prohibited. If you have received this email in error,
> please immediately notify the sender by return email and delete this email
> from your system."
> _______________________________________________
> Ntop mailing list
> Ntop [at] unipi
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
_______________________________________________
Ntop mailing list
Ntop [at] unipi
http://listgateway.unipi.it/mailman/listinfo/ntop
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
_______________________________________________
Ntop mailing list
Ntop [at] unipi
http://listgateway.unipi.it/mailman/listinfo/ntop
|
