Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Users

Using ntop to Track Traffic Over an Extended Period, sticky-hosts

  

 
NTop users RSS feed   Index | Next | Previous | View Threaded


nhoeller at sinet

Nov 16, 2009, 6:11 AM

Post #1 of 5 (910 views)
Permalink
Using ntop to Track Traffic Over an Extended Period, sticky-hosts
I currently use a 3G (cell-based) Internet service (no access to WiMax,
cable or DSL), and excess usage charges can quickly build up. I am hoping
that ntop will help identify me hosts that I should cache locally or
block, but need to capture traffic over an extended period of time.

I installed and am successfully running ntop 3.3 on an Ubuntu 8.10 server
that manages the 3G modem. Remote websites come and go from the All
Protocols/Traffic list and Utils/Dump Data. When a website becomes active
again, byte counters appear to be reset. The mailing list suggests using
--sticky-hosts and activating the RRD plug-in, but these steps did not
seem to change how ntop works. I did see one post that suggested
--sticky-hosts was not effective for remote hosts. I wrote code to invoke
Utils/Dump Data periodically and build a composite traffic table. Over a
6 hour period yesterday, I captured data from 517 hosts, well below the
default 8192 Max Hashes.

Any guidance would be greatly appreciated! I realise I am trying to use
ntop in a fashion for which it was not designed.
Thanks, Norbert

PS. Great tool! The amount of information it provides is amazing.


Ggatten at waddell

Nov 16, 2009, 10:55 AM

Post #2 of 5 (874 views)
Permalink
Re: Using ntop to Track Traffic Over an Extended Period, sticky-hosts [In reply to]
What info are you wanting exactly? Seems between rrd (with proper detail selected), sticky hosts, and your dump code - that should cover everything.

________________________________

From: ntop-bounces [at] listgateway
To: ntop [at] listgateway
Sent: Mon Nov 16 08:11:05 2009
Subject: [Ntop] Using ntop to Track Traffic Over an Extended Period,sticky-hosts


I currently use a 3G (cell-based) Internet service (no access to WiMax, cable or DSL), and excess usage charges can quickly build up. I am hoping that ntop will help identify me hosts that I should cache locally or block, but need to capture traffic over an extended period of time.

I installed and am successfully running ntop 3.3 on an Ubuntu 8.10 server that manages the 3G modem. Remote websites come and go from the All Protocols/Traffic list and Utils/Dump Data. When a website becomes active again, byte counters appear to be reset. The mailing list suggests using --sticky-hosts and activating the RRD plug-in, but these steps did not seem to change how ntop works. I did see one post that suggested --sticky-hosts was not effective for remote hosts. I wrote code to invoke Utils/Dump Data periodically and build a composite traffic table. Over a 6 hour period yesterday, I captured data from 517 hosts, well below the default 8192 Max Hashes.

Any guidance would be greatly appreciated! I realise I am trying to use ntop in a fashion for which it was not designed.
Thanks, Norbert

PS. Great tool! The amount of information it provides is amazing.






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>


Ggatten at waddell

Nov 16, 2009, 10:55 AM

Post #3 of 5 (872 views)
Permalink
Re: Using ntop to Track Traffic Over an Extended Period, sticky-hosts [In reply to]
What info are you wanting exactly? Seems between rrd (with proper detail selected), sticky hosts, and your dump code - that should cover everything.

________________________________

From: ntop-bounces [at] listgateway
To: ntop [at] listgateway
Sent: Mon Nov 16 08:11:05 2009
Subject: [Ntop] Using ntop to Track Traffic Over an Extended Period,sticky-hosts


I currently use a 3G (cell-based) Internet service (no access to WiMax, cable or DSL), and excess usage charges can quickly build up. I am hoping that ntop will help identify me hosts that I should cache locally or block, but need to capture traffic over an extended period of time.

I installed and am successfully running ntop 3.3 on an Ubuntu 8.10 server that manages the 3G modem. Remote websites come and go from the All Protocols/Traffic list and Utils/Dump Data. When a website becomes active again, byte counters appear to be reset. The mailing list suggests using --sticky-hosts and activating the RRD plug-in, but these steps did not seem to change how ntop works. I did see one post that suggested --sticky-hosts was not effective for remote hosts. I wrote code to invoke Utils/Dump Data periodically and build a composite traffic table. Over a 6 hour period yesterday, I captured data from 517 hosts, well below the default 8192 Max Hashes.

Any guidance would be greatly appreciated! I realise I am trying to use ntop in a fashion for which it was not designed.
Thanks, Norbert

PS. Great tool! The amount of information it provides is amazing.






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>


nhoeller at sinet

Nov 16, 2009, 11:48 AM

Post #4 of 5 (875 views)
Permalink
Re: Using ntop to Track Traffic Over an Extended Period, sticky-hosts [In reply to]
Gary, basically bytesSent and bytesRcvd accumulated over a period of at
least a week. Also the ntop hostname, which for HTTP sites is often more
useful than the nslookup information. With the hostname I can consolidate
traffic from sites that show up with different IPs.

I see where the RRD data is being stored. I have read Burton Strauss'
2003 paper but am not much further in figuring out how to get useful
summary information out of the XML dump. I think I need to look at the
AVERAGE (300 seconds) section, convert bits/second into bytes and sum
across the period I am interested in. I assume the other AVERAGE seconds
are 'rollups' of the data.
thanks, Norbert

> What info are you wanting exactly? Seems between rrd (with proper detail
selected), sticky hosts, and your dump code - that should cover
everything.


Ggatten at waddell

Nov 17, 2009, 5:26 AM

Post #5 of 5 (871 views)
Permalink
Re: Using ntop to Track Traffic Over an Extended Period, sticky-hosts [In reply to]
What is "ntop host name"? Ntop "sniffs" name res requests, but I don't think it looks in http headers for url connects, does it?

If you have the right detail enabled in the rrd plugin, there's a basic gui graph function in ntop to get at said data. Perhaps if you compile with sql it will give you more options?

________________________________

From: ntop-bounces [at] listgateway
To: ntop [at] listgateway
Sent: Mon Nov 16 13:48:10 2009
Subject: Re: [Ntop] Using ntop to Track Traffic Over an Extended Period,sticky-hosts


Gary, basically bytesSent and bytesRcvd accumulated over a period of at least a week. Also the ntop hostname, which for HTTP sites is often more useful than the nslookup information. With the hostname I can consolidate traffic from sites that show up with different IPs.

I see where the RRD data is being stored. I have read Burton Strauss' 2003 paper but am not much further in figuring out how to get useful summary information out of the XML dump. I think I need to look at the AVERAGE (300 seconds) section, convert bits/second into bytes and sum across the period I am interested in. I assume the other AVERAGE seconds are 'rollups' of the data.
thanks, Norbert

> What info are you wanting exactly? Seems between rrd (with proper detail selected), sticky hosts, and your dump code - that should cover everything.






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>

NTop users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.