nicholas.turner at utoronto
Jun 17, 2010, 10:31 AM
Post #1 of 6
Track Local Hosts Abnormal CPU Usage
I've been implementing NTOP over the past few weeks, and overall it is
just an awesome program =) However recently I have been having some
problems with CPU Usage, which is therein causing a huge amount of
dropped packets from libpcap.
Just some background information, I am running on CentOS 5.5, and my
command line args are as follows:
I've been having some weird issues with NTOP shooting up to 100% CPU
usage, then libpcap dropping packets (I assume due to not having any
CPU cycles to capture them!).
My compiled installation was working fine, until I noticed that NTOP
was hitting the 8192 host maximum without the "-x" flag set. At this
point I did not notice any libpcap dropped packets. THEN, I started
playing around with the -x flag, setting it to 20000 in order to see
if I would reach that cap (I did, because I still had remote hosts
After trying -x 20000, the libpcap started to drop tons of packets, so
I removed the -x flag, going back to the 8192 default, but now for
some reason I was getting dropped packets even at this host count. I
tried cleaning out some preferences (fingerprint.db macPrefix.db
prefscache.db) and the RRD directory, but this didnt help. Since I
couldnt get NTOP back to it's original state of 8192 hosts working
fine, I played with the -x setting until I found <1% dropped packets
over an hour period at the 4000-5000 range.
(I feel I should mention that when I say "drop tons of packets" I mean
like 50%-300% although I dont quite understand how that is possible).
Now, upon perusing the man ntop page some more I find the
--track-local-hosts option, which would be perfect for our
implementation. However, upon enabling that, even though ntop is now
only seeing ~150-250 local hosts, it shoots up to 100% cpu usage, and
libpcap starts to drop packets.
So my question is, is there any way to get my ntop to run
--track-local-hosts without so much CPU usage? Or are there some
inherent heavy cpu operations that are doing this? The server is a
~2.2GHz Intel, with 1GB of ram, just a backup server, but I thought it
would be able to handle ntop fine. The average network load with the
4000 host cap is ~5000 packets per second. Is this something NTOP is
able to handle with some tweaks? Or must I install PF_RING in order to
handle these packets correctly?
Ntop mailing list
Ntop [at] listgateway