Mailing List Archive: NTop: Users

Newby having trouble with first ntop setup

1 2

View All

Index | Next | Previous | View Threaded

paspagno at co

May 6, 2011, 4:45 PM

Post #1 of 30 (1693 views)
Permalink

Newby having trouble with first ntop setup

I have never used ntop before. Where is a good place to start?

Here is my issue:

I have a Fortigate 200B sending sFlow data to my CentOS (running cacti)
server. On this server I have ntop running and the sflow plugin enabled.
I do not think the sflow data is showing in ntop. What should I try?

I can view the ntop webpage. The ntop page does show numerous hosts on
my network. I do not believe that data is accurate, because nothing is
configured to send data to ntop or sflow.

Paul Spagnola

Desktop Support Manager

IT Dept. Douglas County, Oregon

Phone (Desk): (541) 957-4856

Phone (Office): (541) 440-4330

Fax: (541) 440-6129

Email: paspagno [at] co

ntop at ale

May 7, 2011, 2:51 AM

Post #2 of 30 (1639 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> I have never used ntop before. Where is a good place to start?

The easiest place to start is with packet capture on an interface, which is
what Ntop defaults to.

> Here is my issue:
>
> I have a Fortigate 200B sending sFlow data to my CentOS (running cacti)
> server. On this server I have ntop running and the sflow plugin enabled.
> I do not think the sflow data is showing in ntop. What should I try?

Switch to the virtual NIC that the sFlow data should be reporting on. If you
don't see any data, check the sFlow stats, if that shows nothing, use tcpdump
to see if any sFlow packets are arriving at your Ntop box.

> I can view the ntop webpage. The ntop page does show numerous hosts on
> my network. I do not believe that data is accurate, because nothing is
> configured to send data to ntop or sflow.

IME Ntop captures by default on the first ethernet interface. This will be
what you're seeing on the web interface.

alexd

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 9, 2011, 9:47 AM

Post #3 of 30 (1627 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Thank you for the input. I used tethereal to confirm that sflow packets
do appear to be coming into the machine, but I do not think they are
being recorded into ntop. Also, Is there a good article that shows how
to setup a cisco device to forward data to ntop?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
Sent: Saturday, May 07, 2011 2:51 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> I have never used ntop before. Where is a good place to start?

The easiest place to start is with packet capture on an interface, which
is what Ntop defaults to.

> Here is my issue:
>
> I have a Fortigate 200B sending sFlow data to my CentOS (running
> cacti) server. On this server I have ntop running and the sflow plugin
enabled.
> I do not think the sflow data is showing in ntop. What should I try?

Switch to the virtual NIC that the sFlow data should be reporting on. If
you don't see any data, check the sFlow stats, if that shows nothing,
use tcpdump to see if any sFlow packets are arriving at your Ntop box.

> I can view the ntop webpage. The ntop page does show numerous hosts on

> my network. I do not believe that data is accurate, because nothing is

> configured to send data to ntop or sflow.

IME Ntop captures by default on the first ethernet interface. This will
be what you're seeing on the web interface.

alexd

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 9, 2011, 10:29 AM

Post #4 of 30 (1625 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

I used the sflowtool to confirm sflow data is getting to the server.
Here is a sample. However, the ntop plugin shows very little data for
this host. It should show mbps and I only see kbps.

startDatagram =================================
datagramSourceIP 199.xx.xx.xx
datagramSize 144
unixSecondsUTC 1304961484
datagramVersion 5
agentSubId 0
agent 199.195.30.2
packetSequenceNo 13471
sysUpTime 345440000
samplesInPacket 1
startSample ----------------------
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 5756
sourceId 0:33
counterBlock_tag 0:1
ifIndex 33
networkType 6
ifSpeed 328674108107
ifDirection 662766254
ifStatus 3
ifInOctets 5422793630
ifInUcastPkts 30358132
ifInMulticastPkts 0
ifInBroadcastPkts 0
ifInDiscards 0
ifInErrors 0
ifInUnknownProtos 0
ifOutOctets 26183045703
ifOutUcastPkts 38620125
ifOutMulticastPkts 0
ifOutBroadcastPkts 0
ifOutDiscards 0
ifOutErrors 0
ifPromiscuousMode 0
endSample ----------------------
endDatagram =================================

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
Sent: Saturday, May 07, 2011 2:51 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> I have never used ntop before. Where is a good place to start?

The easiest place to start is with packet capture on an interface, which
is what Ntop defaults to.

> Here is my issue:
>
> I have a Fortigate 200B sending sFlow data to my CentOS (running
> cacti) server. On this server I have ntop running and the sflow plugin
enabled.
> I do not think the sflow data is showing in ntop. What should I try?

Switch to the virtual NIC that the sFlow data should be reporting on. If
you don't see any data, check the sFlow stats, if that shows nothing,
use tcpdump to see if any sFlow packets are arriving at your Ntop box.

> I can view the ntop webpage. The ntop page does show numerous hosts on

> my network. I do not believe that data is accurate, because nothing is

> configured to send data to ntop or sflow.

IME Ntop captures by default on the first ethernet interface. This will
be what you're seeing on the web interface.

alexd

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 9, 2011, 10:45 AM

Post #5 of 30 (1619 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> I used the sflowtool to confirm sflow data is getting to the server.
> Here is a sample. However, the ntop plugin shows very little data for
> this host. It should show mbps and I only see kbps.
>
> startDatagram =================================
> datagramSourceIP 199.xx.xx.xx
> datagramSize 144
> unixSecondsUTC 1304961484
> datagramVersion 5
> agentSubId 0
> agent 199.195.30.2

As useless as security through obscurity is asserted to be, it is even
less useful if it is incomplete :)

> packetSequenceNo 13471
> sysUpTime 345440000
> samplesInPacket 1
> startSample ----------------------
> sampleType_tag 0:2
> sampleType COUNTERSSAMPLE
> sampleSequenceNo 5756
> sourceId 0:33
> counterBlock_tag 0:1
> ifIndex 33
> networkType 6
> ifSpeed 328674108107

What sort of interface is this again? that is a somewhat odd looking
value of ifSpeed.

Out of mostly idle curiousity, how frequently are the counter samples
being sent? It might be good to capture a few of them and do some math
by hand to validate the samples.

> ifDirection 662766254
> ifStatus 3
> ifInOctets 5422793630
> ifInUcastPkts 30358132
> ifInMulticastPkts 0
> ifInBroadcastPkts 0
> ifInDiscards 0
> ifInErrors 0
> ifInUnknownProtos 0
> ifOutOctets 26183045703
> ifOutUcastPkts 38620125
> ifOutMulticastPkts 0
> ifOutBroadcastPkts 0
> ifOutDiscards 0
> ifOutErrors 0
> ifPromiscuousMode 0
> endSample ----------------------
> endDatagram =================================
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
> Sent: Saturday, May 07, 2011 2:51 AM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > I have never used ntop before. Where is a good place to start?
>
> The easiest place to start is with packet capture on an interface, which
> is what Ntop defaults to.
>
> > Here is my issue:
> >
> > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > cacti) server. On this server I have ntop running and the sflow plugin
> enabled.
> > I do not think the sflow data is showing in ntop. What should I try?
>
> Switch to the virtual NIC that the sFlow data should be reporting on. If
> you don't see any data, check the sFlow stats, if that shows nothing,
> use tcpdump to see if any sFlow packets are arriving at your Ntop box.
>
> > I can view the ntop webpage. The ntop page does show numerous hosts on
>
> > my network. I do not believe that data is accurate, because nothing is
>
> > configured to send data to ntop or sflow.
>
> IME Ntop captures by default on the first ethernet interface. This will
> be what you're seeing on the web interface.
>
> alexd
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 9, 2011, 11:26 AM

Post #6 of 30 (1623 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Ntop is receiving that data not cacti.

The interface being monitored is a firewall interface. 1GB speed, actual
traffic throughput fluctuates from 200 kbps to 400 mbps.

I am capturing samples every 60 seconds. How would I got about manual
math on two samples?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
Sent: Monday, May 09, 2011 10:45 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> I used the sflowtool to confirm sflow data is getting to the server.
> Here is a sample. However, the ntop plugin shows very little data for
> this host. It should show mbps and I only see kbps.
>
> startDatagram ================================= datagramSourceIP
> 199.xx.xx.xx datagramSize 144 unixSecondsUTC 1304961484
> datagramVersion 5 agentSubId 0 agent 199.195.30.2

As useless as security through obscurity is asserted to be, it is even
less useful if it is incomplete :)

> packetSequenceNo 13471
> sysUpTime 345440000
> samplesInPacket 1
> startSample ----------------------
> sampleType_tag 0:2
> sampleType COUNTERSSAMPLE
> sampleSequenceNo 5756
> sourceId 0:33
> counterBlock_tag 0:1
> ifIndex 33
> networkType 6
> ifSpeed 328674108107

What sort of interface is this again? that is a somewhat odd looking
value of ifSpeed.

Out of mostly idle curiousity, how frequently are the counter samples
being sent? It might be good to capture a few of them and do some math
by hand to validate the samples.

> ifDirection 662766254
> ifStatus 3
> ifInOctets 5422793630
> ifInUcastPkts 30358132
> ifInMulticastPkts 0
> ifInBroadcastPkts 0
> ifInDiscards 0
> ifInErrors 0
> ifInUnknownProtos 0
> ifOutOctets 26183045703
> ifOutUcastPkts 38620125
> ifOutMulticastPkts 0
> ifOutBroadcastPkts 0
> ifOutDiscards 0
> ifOutErrors 0
> ifPromiscuousMode 0
> endSample ----------------------
> endDatagram =================================
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
> Sent: Saturday, May 07, 2011 2:51 AM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > I have never used ntop before. Where is a good place to start?
>
> The easiest place to start is with packet capture on an interface,
> which is what Ntop defaults to.
>
> > Here is my issue:
> >
> > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > cacti) server. On this server I have ntop running and the sflow
> > plugin
> enabled.
> > I do not think the sflow data is showing in ntop. What should I try?
>
> Switch to the virtual NIC that the sFlow data should be reporting on.
> If you don't see any data, check the sFlow stats, if that shows
> nothing, use tcpdump to see if any sFlow packets are arriving at your
Ntop box.
>
> > I can view the ntop webpage. The ntop page does show numerous hosts
> > on
>
> > my network. I do not believe that data is accurate, because nothing
> > is
>
> > configured to send data to ntop or sflow.
>
> IME Ntop captures by default on the first ethernet interface. This
> will be what you're seeing on the web interface.
>
> alexd
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

markayler at gmail

May 9, 2011, 11:32 AM

Post #7 of 30 (1633 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Did you say your using the cacti ntop plugin to view this data? If so, check with the cacti forums. It seems like the data is being received by the cacti server.

Sent from my iPad

On May 9, 2011, at 10:29 AM, "Paul A. Spagnola" <paspagno [at] co> wrote:

> I used the sflowtool to confirm sflow data is getting to the server.
> Here is a sample. However, the ntop plugin shows very little data for
> this host. It should show mbps and I only see kbps.
>
> startDatagram =================================
> datagramSourceIP 199.xx.xx.xx
> datagramSize 144
> unixSecondsUTC 1304961484
> datagramVersion 5
> agentSubId 0
> agent 199.195.30.2
> packetSequenceNo 13471
> sysUpTime 345440000
> samplesInPacket 1
> startSample ----------------------
> sampleType_tag 0:2
> sampleType COUNTERSSAMPLE
> sampleSequenceNo 5756
> sourceId 0:33
> counterBlock_tag 0:1
> ifIndex 33
> networkType 6
> ifSpeed 328674108107
> ifDirection 662766254
> ifStatus 3
> ifInOctets 5422793630
> ifInUcastPkts 30358132
> ifInMulticastPkts 0
> ifInBroadcastPkts 0
> ifInDiscards 0
> ifInErrors 0
> ifInUnknownProtos 0
> ifOutOctets 26183045703
> ifOutUcastPkts 38620125
> ifOutMulticastPkts 0
> ifOutBroadcastPkts 0
> ifOutDiscards 0
> ifOutErrors 0
> ifPromiscuousMode 0
> endSample ----------------------
> endDatagram =================================
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
> Sent: Saturday, May 07, 2011 2:51 AM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
>> I have never used ntop before. Where is a good place to start?
>
> The easiest place to start is with packet capture on an interface, which
> is what Ntop defaults to.
>
>> Here is my issue:
>>
>> I have a Fortigate 200B sending sFlow data to my CentOS (running
>> cacti) server. On this server I have ntop running and the sflow plugin
> enabled.
>> I do not think the sflow data is showing in ntop. What should I try?
>
> Switch to the virtual NIC that the sFlow data should be reporting on. If
> you don't see any data, check the sFlow stats, if that shows nothing,
> use tcpdump to see if any sFlow packets are arriving at your Ntop box.
>
>> I can view the ntop webpage. The ntop page does show numerous hosts on
>
>> my network. I do not believe that data is accurate, because nothing is
>
>> configured to send data to ntop or sflow.
>
> IME Ntop captures by default on the first ethernet interface. This will
> be what you're seeing on the web interface.
>
> alexd
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 9, 2011, 1:44 PM

Post #8 of 30 (1623 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Mon, 2011-05-09 at 11:26 -0700, Paul A. Spagnola wrote:
> Ntop is receiving that data not cacti.
>
> The interface being monitored is a firewall interface. 1GB speed, actual
> traffic throughput fluctuates from 200 kbps to 400 mbps.
>
> I am capturing samples every 60 seconds. How would I got about manual
> math on two samples?

If ntop is running with the sflow plugin enabled, then via tcpdump
(don't forget to capture whole packets, so a nice big snaplen) feed to
sflowtool (or just tcpdump if you have the top-of-trunk tcpdump).

Or if the plugin is not running, just via sflowtool.

Match-up the agent and index, and follow your nose through the output.

rick jones

>
>
> Paul Spagnola
> Desktop Support Manager
> IT Dept. Douglas County, Oregon
> Phone (Desk): (541) 957-4856
> Phone (Office): (541) 440-4330
> Fax: (541) 440-6129
> Email: paspagno [at] co
>
>
>
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Monday, May 09, 2011 10:45 AM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> > I used the sflowtool to confirm sflow data is getting to the server.
> > Here is a sample. However, the ntop plugin shows very little data for
> > this host. It should show mbps and I only see kbps.
> >
> > startDatagram ================================= datagramSourceIP
> > 199.xx.xx.xx datagramSize 144 unixSecondsUTC 1304961484
> > datagramVersion 5 agentSubId 0 agent 199.195.30.2
>
> As useless as security through obscurity is asserted to be, it is even
> less useful if it is incomplete :)
>
> > packetSequenceNo 13471
> > sysUpTime 345440000
> > samplesInPacket 1
> > startSample ----------------------
> > sampleType_tag 0:2
> > sampleType COUNTERSSAMPLE
> > sampleSequenceNo 5756
> > sourceId 0:33
> > counterBlock_tag 0:1
> > ifIndex 33
> > networkType 6
> > ifSpeed 328674108107
>
> What sort of interface is this again? that is a somewhat odd looking
> value of ifSpeed.
>
>
> Out of mostly idle curiousity, how frequently are the counter samples
> being sent? It might be good to capture a few of them and do some math
> by hand to validate the samples.
>
> > ifDirection 662766254
> > ifStatus 3
> > ifInOctets 5422793630
> > ifInUcastPkts 30358132
> > ifInMulticastPkts 0
> > ifInBroadcastPkts 0
> > ifInDiscards 0
> > ifInErrors 0
> > ifInUnknownProtos 0
> > ifOutOctets 26183045703
> > ifOutUcastPkts 38620125
> > ifOutMulticastPkts 0
> > ifOutBroadcastPkts 0
> > ifOutDiscards 0
> > ifOutErrors 0
> > ifPromiscuousMode 0
> > endSample ----------------------
> > endDatagram =================================
> >
> > -----Original Message-----
> > From: ntop-bounces [at] listgateway
> > [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
> > Sent: Saturday, May 07, 2011 2:51 AM
> > To: ntop [at] unipi
> > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> >
> > On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > > I have never used ntop before. Where is a good place to start?
> >
> > The easiest place to start is with packet capture on an interface,
> > which is what Ntop defaults to.
> >
> > > Here is my issue:
> > >
> > > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > > cacti) server. On this server I have ntop running and the sflow
> > > plugin
> > enabled.
> > > I do not think the sflow data is showing in ntop. What should I try?
> >
> > Switch to the virtual NIC that the sFlow data should be reporting on.
> > If you don't see any data, check the sFlow stats, if that shows
> > nothing, use tcpdump to see if any sFlow packets are arriving at your
> Ntop box.
> >
> > > I can view the ntop webpage. The ntop page does show numerous hosts
> > > on
> >
> > > my network. I do not believe that data is accurate, because nothing
> > > is
> >
> > > configured to send data to ntop or sflow.
> >
> > IME Ntop captures by default on the first ethernet interface. This
> > will be what you're seeing on the web interface.
> >
> > alexd
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 9, 2011, 2:13 PM

Post #9 of 30 (1619 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

I tried: tcpdump -w dump.out udp port 6343 and then read in like this:
sflowtool -r dump.out

I got an error about incomplete packets. snaplen not large enough.

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
Sent: Monday, May 09, 2011 1:44 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Mon, 2011-05-09 at 11:26 -0700, Paul A. Spagnola wrote:
> Ntop is receiving that data not cacti.
>
> The interface being monitored is a firewall interface. 1GB speed,
> actual traffic throughput fluctuates from 200 kbps to 400 mbps.
>
> I am capturing samples every 60 seconds. How would I got about manual
> math on two samples?

If ntop is running with the sflow plugin enabled, then via tcpdump
(don't forget to capture whole packets, so a nice big snaplen) feed to
sflowtool (or just tcpdump if you have the top-of-trunk tcpdump).

Or if the plugin is not running, just via sflowtool.

Match-up the agent and index, and follow your nose through the output.

rick jones

>
>
> Paul Spagnola
> Desktop Support Manager
> IT Dept. Douglas County, Oregon
> Phone (Desk): (541) 957-4856
> Phone (Office): (541) 440-4330
> Fax: (541) 440-6129
> Email: paspagno [at] co
>
>
>
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Monday, May 09, 2011 10:45 AM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> > I used the sflowtool to confirm sflow data is getting to the server.
> > Here is a sample. However, the ntop plugin shows very little data
> > for this host. It should show mbps and I only see kbps.
> >
> > startDatagram ================================= datagramSourceIP
> > 199.xx.xx.xx datagramSize 144 unixSecondsUTC 1304961484
> > datagramVersion 5 agentSubId 0 agent 199.195.30.2
>
> As useless as security through obscurity is asserted to be, it is even

> less useful if it is incomplete :)
>
> > packetSequenceNo 13471
> > sysUpTime 345440000
> > samplesInPacket 1
> > startSample ----------------------
> > sampleType_tag 0:2
> > sampleType COUNTERSSAMPLE
> > sampleSequenceNo 5756
> > sourceId 0:33
> > counterBlock_tag 0:1
> > ifIndex 33
> > networkType 6
> > ifSpeed 328674108107
>
> What sort of interface is this again? that is a somewhat odd looking
> value of ifSpeed.
>
>
> Out of mostly idle curiousity, how frequently are the counter samples
> being sent? It might be good to capture a few of them and do some
> math by hand to validate the samples.
>
> > ifDirection 662766254
> > ifStatus 3
> > ifInOctets 5422793630
> > ifInUcastPkts 30358132
> > ifInMulticastPkts 0
> > ifInBroadcastPkts 0
> > ifInDiscards 0
> > ifInErrors 0
> > ifInUnknownProtos 0
> > ifOutOctets 26183045703
> > ifOutUcastPkts 38620125
> > ifOutMulticastPkts 0
> > ifOutBroadcastPkts 0
> > ifOutDiscards 0
> > ifOutErrors 0
> > ifPromiscuousMode 0
> > endSample ----------------------
> > endDatagram =================================
> >
> > -----Original Message-----
> > From: ntop-bounces [at] listgateway
> > [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
> > Sent: Saturday, May 07, 2011 2:51 AM
> > To: ntop [at] unipi
> > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> >
> > On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > > I have never used ntop before. Where is a good place to start?
> >
> > The easiest place to start is with packet capture on an interface,
> > which is what Ntop defaults to.
> >
> > > Here is my issue:
> > >
> > > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > > cacti) server. On this server I have ntop running and the sflow
> > > plugin
> > enabled.
> > > I do not think the sflow data is showing in ntop. What should I
try?
> >
> > Switch to the virtual NIC that the sFlow data should be reporting
on.
> > If you don't see any data, check the sFlow stats, if that shows
> > nothing, use tcpdump to see if any sFlow packets are arriving at
> > your
> Ntop box.
> >
> > > I can view the ntop webpage. The ntop page does show numerous
> > > hosts on
> >
> > > my network. I do not believe that data is accurate, because
> > > nothing is
> >
> > > configured to send data to ntop or sflow.
> >
> > IME Ntop captures by default on the first ethernet interface. This
> > will be what you're seeing on the web interface.
> >
> > alexd
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 9, 2011, 2:20 PM

Post #10 of 30 (1645 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Mon, 2011-05-09 at 14:13 -0700, Paul A. Spagnola wrote:
> I tried: tcpdump -w dump.out udp port 6343 and then read in like this:
> sflowtool -r dump.out
>
> I got an error about incomplete packets. snaplen not large enough.

Increase the snaplen, many tcpdump versions default to a mere 96 bytes,
and you want the whole datagram. The manpage for tcpdump will describe
it as the -s option.

rick

>
> -Paul
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Monday, May 09, 2011 1:44 PM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 11:26 -0700, Paul A. Spagnola wrote:
> > Ntop is receiving that data not cacti.
> >
> > The interface being monitored is a firewall interface. 1GB speed,
> > actual traffic throughput fluctuates from 200 kbps to 400 mbps.
> >
> > I am capturing samples every 60 seconds. How would I got about manual
> > math on two samples?
>
> If ntop is running with the sflow plugin enabled, then via tcpdump
> (don't forget to capture whole packets, so a nice big snaplen) feed to
> sflowtool (or just tcpdump if you have the top-of-trunk tcpdump).
>
> Or if the plugin is not running, just via sflowtool.
>
> Match-up the agent and index, and follow your nose through the output.
>
> rick jones
>
> >
> >
> > Paul Spagnola
> > Desktop Support Manager
> > IT Dept. Douglas County, Oregon
> > Phone (Desk): (541) 957-4856
> > Phone (Office): (541) 440-4330
> > Fax: (541) 440-6129
> > Email: paspagno [at] co
> >
> >
> >
> >
> > -----Original Message-----
> > From: ntop-bounces [at] listgateway
> > [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> > Sent: Monday, May 09, 2011 10:45 AM
> > To: ntop [at] unipi
> > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> >
> > On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> > > I used the sflowtool to confirm sflow data is getting to the server.
> > > Here is a sample. However, the ntop plugin shows very little data
> > > for this host. It should show mbps and I only see kbps.
> > >
> > > startDatagram ================================= datagramSourceIP
> > > 199.xx.xx.xx datagramSize 144 unixSecondsUTC 1304961484
> > > datagramVersion 5 agentSubId 0 agent 199.195.30.2
> >
> > As useless as security through obscurity is asserted to be, it is even
>
> > less useful if it is incomplete :)
> >
> > > packetSequenceNo 13471
> > > sysUpTime 345440000
> > > samplesInPacket 1
> > > startSample ----------------------
> > > sampleType_tag 0:2
> > > sampleType COUNTERSSAMPLE
> > > sampleSequenceNo 5756
> > > sourceId 0:33
> > > counterBlock_tag 0:1
> > > ifIndex 33
> > > networkType 6
> > > ifSpeed 328674108107
> >
> > What sort of interface is this again? that is a somewhat odd looking
> > value of ifSpeed.
> >
> >
> > Out of mostly idle curiousity, how frequently are the counter samples
> > being sent? It might be good to capture a few of them and do some
> > math by hand to validate the samples.
> >
> > > ifDirection 662766254
> > > ifStatus 3
> > > ifInOctets 5422793630
> > > ifInUcastPkts 30358132
> > > ifInMulticastPkts 0
> > > ifInBroadcastPkts 0
> > > ifInDiscards 0
> > > ifInErrors 0
> > > ifInUnknownProtos 0
> > > ifOutOctets 26183045703
> > > ifOutUcastPkts 38620125
> > > ifOutMulticastPkts 0
> > > ifOutBroadcastPkts 0
> > > ifOutDiscards 0
> > > ifOutErrors 0
> > > ifPromiscuousMode 0
> > > endSample ----------------------
> > > endDatagram =================================
> > >
> > > -----Original Message-----
> > > From: ntop-bounces [at] listgateway
> > > [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex DEKKER
> > > Sent: Saturday, May 07, 2011 2:51 AM
> > > To: ntop [at] unipi
> > > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> > >
> > > On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > > > I have never used ntop before. Where is a good place to start?
> > >
> > > The easiest place to start is with packet capture on an interface,
> > > which is what Ntop defaults to.
> > >
> > > > Here is my issue:
> > > >
> > > > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > > > cacti) server. On this server I have ntop running and the sflow
> > > > plugin
> > > enabled.
> > > > I do not think the sflow data is showing in ntop. What should I
> try?
> > >
> > > Switch to the virtual NIC that the sFlow data should be reporting
> on.
> > > If you don't see any data, check the sFlow stats, if that shows
> > > nothing, use tcpdump to see if any sFlow packets are arriving at
> > > your
> > Ntop box.
> > >
> > > > I can view the ntop webpage. The ntop page does show numerous
> > > > hosts on
> > >
> > > > my network. I do not believe that data is accurate, because
> > > > nothing is
> > >
> > > > configured to send data to ntop or sflow.
> > >
> > > IME Ntop captures by default on the first ethernet interface. This
> > > will be what you're seeing on the web interface.
> > >
> > > alexd
> > >
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop [at] listgateway
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop [at] listgateway
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> >
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 9, 2011, 3:20 PM

Post #11 of 30 (1619 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Ok, I got that to work. I now have some valid sflow data saved in a dump
file. How do I interpret this data without using ntop so that I can
confirm that the correct data is being sent to the ntop server, but ntop
is not displaying it.

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
Sent: Monday, May 09, 2011 2:20 PM
To: ntop users
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Mon, 2011-05-09 at 14:13 -0700, Paul A. Spagnola wrote:
> I tried: tcpdump -w dump.out udp port 6343 and then read in like this:
> sflowtool -r dump.out
>
> I got an error about incomplete packets. snaplen not large enough.

Increase the snaplen, many tcpdump versions default to a mere 96 bytes,
and you want the whole datagram. The manpage for tcpdump will describe
it as the -s option.

rick

>
> -Paul
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Monday, May 09, 2011 1:44 PM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 11:26 -0700, Paul A. Spagnola wrote:
> > Ntop is receiving that data not cacti.
> >
> > The interface being monitored is a firewall interface. 1GB speed,
> > actual traffic throughput fluctuates from 200 kbps to 400 mbps.
> >
> > I am capturing samples every 60 seconds. How would I got about
> > manual math on two samples?
>
> If ntop is running with the sflow plugin enabled, then via tcpdump
> (don't forget to capture whole packets, so a nice big snaplen) feed to

> sflowtool (or just tcpdump if you have the top-of-trunk tcpdump).
>
> Or if the plugin is not running, just via sflowtool.
>
> Match-up the agent and index, and follow your nose through the output.
>
> rick jones
>
> >
> >
> > Paul Spagnola
> > Desktop Support Manager
> > IT Dept. Douglas County, Oregon
> > Phone (Desk): (541) 957-4856
> > Phone (Office): (541) 440-4330
> > Fax: (541) 440-6129
> > Email: paspagno [at] co
> >
> >
> >
> >
> > -----Original Message-----
> > From: ntop-bounces [at] listgateway
> > [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> > Sent: Monday, May 09, 2011 10:45 AM
> > To: ntop [at] unipi
> > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> >
> > On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> > > I used the sflowtool to confirm sflow data is getting to the
server.
> > > Here is a sample. However, the ntop plugin shows very little data
> > > for this host. It should show mbps and I only see kbps.
> > >
> > > startDatagram ================================= datagramSourceIP
> > > 199.xx.xx.xx datagramSize 144 unixSecondsUTC 1304961484
> > > datagramVersion 5 agentSubId 0 agent 199.195.30.2
> >
> > As useless as security through obscurity is asserted to be, it is
> > even
>
> > less useful if it is incomplete :)
> >
> > > packetSequenceNo 13471
> > > sysUpTime 345440000
> > > samplesInPacket 1
> > > startSample ---------------------- sampleType_tag 0:2 sampleType
> > > COUNTERSSAMPLE sampleSequenceNo 5756 sourceId 0:33
> > > counterBlock_tag 0:1 ifIndex 33 networkType 6 ifSpeed 328674108107
> >
> > What sort of interface is this again? that is a somewhat odd
> > looking value of ifSpeed.
> >
> >
> > Out of mostly idle curiousity, how frequently are the counter
> > samples being sent? It might be good to capture a few of them and
> > do some math by hand to validate the samples.
> >
> > > ifDirection 662766254
> > > ifStatus 3
> > > ifInOctets 5422793630
> > > ifInUcastPkts 30358132
> > > ifInMulticastPkts 0
> > > ifInBroadcastPkts 0
> > > ifInDiscards 0
> > > ifInErrors 0
> > > ifInUnknownProtos 0
> > > ifOutOctets 26183045703
> > > ifOutUcastPkts 38620125
> > > ifOutMulticastPkts 0
> > > ifOutBroadcastPkts 0
> > > ifOutDiscards 0
> > > ifOutErrors 0
> > > ifPromiscuousMode 0
> > > endSample ----------------------
> > > endDatagram =================================
> > >
> > > -----Original Message-----
> > > From: ntop-bounces [at] listgateway
> > > [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex
> > > DEKKER
> > > Sent: Saturday, May 07, 2011 2:51 AM
> > > To: ntop [at] unipi
> > > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> > >
> > > On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > > > I have never used ntop before. Where is a good place to start?
> > >
> > > The easiest place to start is with packet capture on an interface,

> > > which is what Ntop defaults to.
> > >
> > > > Here is my issue:
> > > >
> > > > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > > > cacti) server. On this server I have ntop running and the sflow
> > > > plugin
> > > enabled.
> > > > I do not think the sflow data is showing in ntop. What should I
> try?
> > >
> > > Switch to the virtual NIC that the sFlow data should be reporting
> on.
> > > If you don't see any data, check the sFlow stats, if that shows
> > > nothing, use tcpdump to see if any sFlow packets are arriving at
> > > your
> > Ntop box.
> > >
> > > > I can view the ntop webpage. The ntop page does show numerous
> > > > hosts on
> > >
> > > > my network. I do not believe that data is accurate, because
> > > > nothing is
> > >
> > > > configured to send data to ntop or sflow.
> > >
> > > IME Ntop captures by default on the first ethernet interface. This

> > > will be what you're seeing on the web interface.
> > >
> > > alexd
> > >
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop [at] listgateway
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop [at] listgateway
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> >
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 9, 2011, 3:36 PM

Post #12 of 30 (1623 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> Ok, I got that to work. I now have some valid sflow data saved in a dump
> file. How do I interpret this data without using ntop so that I can
> confirm that the correct data is being sent to the ntop server, but ntop
> is not displaying it.

Run it through sflowtool to decode the PDU's for you, look at the
timestamps and the counter values. Subtract and divide as appropriate.

Presumably, from output like this:

startDatagram =================================
datagramSourceIP 192.168.1.7
datagramSize 204
unixSecondsUTC 1304980053
datagramVersion 5
agentSubId 0
agent 192.168.1.7
packetSequenceNo 146213
sysUpTime 950062840
samplesInPacket 1
startSample ----------------------
sampleType_tag 0:2
sampleType COUNTERSSAMPLE
sampleSequenceNo 144103
sourceId 0:45
counterBlock_tag 0:1
ifIndex 45
networkType 6
ifSpeed 1000000000
ifDirection 1
ifStatus 3
ifInOctets 7618363344
ifInUcastPkts 113930197
ifInMulticastPkts 31625
ifInBroadcastPkts 43
ifInDiscards 0
ifInErrors 0
ifInUnknownProtos 0
ifOutOctets 44555271400203
ifOutUcastPkts 3873510231
ifOutMulticastPkts 21938874
ifOutBroadcastPkts 346677994
ifOutDiscards 0
ifOutErrors 0
ifPromiscuousMode 0
counterBlock_tag 0:2
dot3StatsAlignmentErrors 0
dot3StatsFCSErrors 0
dot3StatsSingleCollisionFrames 0
dot3StatsMultipleCollisionFrames 0
dot3StatsSQETestErrors 0
dot3StatsDeferredTransmissions 0
dot3StatsLateCollisions 0
dot3StatsExcessiveCollisions 0
dot3StatsInternalMacTransmitErrors 0
dot3StatsCarrierSenseErrors 0
dot3StatsFrameTooLongs 0
dot3StatsInternalMacReceiveErrors 0
dot3StatsSymbolErrors 0
endSample ----------------------
endDatagram =================================

You will match-up the agent, agentSubId and ifIndex from a series of
samples (if you "know" that you are getting samples from only one
ifIndex and only one agent/agentSubid the matching should be easy :),
and will compute the time intervals between two samples by using either
unixSecondsUTC (time as measured on the "collector") or sysUpTime
(*milliseconds* of time since the switch/agent booted, measured by the
switch/agent). You will then divide that into octets (bytes) sent or
received on the interface over that same interval, using ifInOctets or
ifOutOctets from those same samples. That will give you octets per
second (or millisecond). You then multiply by 8 to get bits per second
(or millisecond). If you have units per millisecond and you want units
per second, multiply by 1000.

rick jones

>
> -Paul
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Monday, May 09, 2011 2:20 PM
> To: ntop users
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 14:13 -0700, Paul A. Spagnola wrote:
> > I tried: tcpdump -w dump.out udp port 6343 and then read in like this:
> > sflowtool -r dump.out
> >
> > I got an error about incomplete packets. snaplen not large enough.
>
> Increase the snaplen, many tcpdump versions default to a mere 96 bytes,
> and you want the whole datagram. The manpage for tcpdump will describe
> it as the -s option.
>
> rick
>
> >
> > -Paul
> >
> > -----Original Message-----
> > From: ntop-bounces [at] listgateway
> > [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> > Sent: Monday, May 09, 2011 1:44 PM
> > To: ntop [at] unipi
> > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> >
> > On Mon, 2011-05-09 at 11:26 -0700, Paul A. Spagnola wrote:
> > > Ntop is receiving that data not cacti.
> > >
> > > The interface being monitored is a firewall interface. 1GB speed,
> > > actual traffic throughput fluctuates from 200 kbps to 400 mbps.
> > >
> > > I am capturing samples every 60 seconds. How would I got about
> > > manual math on two samples?
> >
> > If ntop is running with the sflow plugin enabled, then via tcpdump
> > (don't forget to capture whole packets, so a nice big snaplen) feed to
>
> > sflowtool (or just tcpdump if you have the top-of-trunk tcpdump).
> >
> > Or if the plugin is not running, just via sflowtool.
> >
> > Match-up the agent and index, and follow your nose through the output.
> >
> > rick jones
> >
> > >
> > >
> > > Paul Spagnola
> > > Desktop Support Manager
> > > IT Dept. Douglas County, Oregon
> > > Phone (Desk): (541) 957-4856
> > > Phone (Office): (541) 440-4330
> > > Fax: (541) 440-6129
> > > Email: paspagno [at] co
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: ntop-bounces [at] listgateway
> > > [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> > > Sent: Monday, May 09, 2011 10:45 AM
> > > To: ntop [at] unipi
> > > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> > >
> > > On Mon, 2011-05-09 at 10:29 -0700, Paul A. Spagnola wrote:
> > > > I used the sflowtool to confirm sflow data is getting to the
> server.
> > > > Here is a sample. However, the ntop plugin shows very little data
> > > > for this host. It should show mbps and I only see kbps.
> > > >
> > > > startDatagram ================================= datagramSourceIP
> > > > 199.xx.xx.xx datagramSize 144 unixSecondsUTC 1304961484
> > > > datagramVersion 5 agentSubId 0 agent 199.195.30.2
> > >
> > > As useless as security through obscurity is asserted to be, it is
> > > even
> >
> > > less useful if it is incomplete :)
> > >
> > > > packetSequenceNo 13471
> > > > sysUpTime 345440000
> > > > samplesInPacket 1
> > > > startSample ---------------------- sampleType_tag 0:2 sampleType
> > > > COUNTERSSAMPLE sampleSequenceNo 5756 sourceId 0:33
> > > > counterBlock_tag 0:1 ifIndex 33 networkType 6 ifSpeed 328674108107
> > >
> > > What sort of interface is this again? that is a somewhat odd
> > > looking value of ifSpeed.
> > >
> > >
> > > Out of mostly idle curiousity, how frequently are the counter
> > > samples being sent? It might be good to capture a few of them and
> > > do some math by hand to validate the samples.
> > >
> > > > ifDirection 662766254
> > > > ifStatus 3
> > > > ifInOctets 5422793630
> > > > ifInUcastPkts 30358132
> > > > ifInMulticastPkts 0
> > > > ifInBroadcastPkts 0
> > > > ifInDiscards 0
> > > > ifInErrors 0
> > > > ifInUnknownProtos 0
> > > > ifOutOctets 26183045703
> > > > ifOutUcastPkts 38620125
> > > > ifOutMulticastPkts 0
> > > > ifOutBroadcastPkts 0
> > > > ifOutDiscards 0
> > > > ifOutErrors 0
> > > > ifPromiscuousMode 0
> > > > endSample ----------------------
> > > > endDatagram =================================
> > > >
> > > > -----Original Message-----
> > > > From: ntop-bounces [at] listgateway
> > > > [mailto:ntop-bounces [at] listgateway] On Behalf Of Alex
> > > > DEKKER
> > > > Sent: Saturday, May 07, 2011 2:51 AM
> > > > To: ntop [at] unipi
> > > > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> > > >
> > > > On Saturday 07 May 2011 00:45:56 Paul A. Spagnola wrote:
> > > > > I have never used ntop before. Where is a good place to start?
> > > >
> > > > The easiest place to start is with packet capture on an interface,
>
> > > > which is what Ntop defaults to.
> > > >
> > > > > Here is my issue:
> > > > >
> > > > > I have a Fortigate 200B sending sFlow data to my CentOS (running
> > > > > cacti) server. On this server I have ntop running and the sflow
> > > > > plugin
> > > > enabled.
> > > > > I do not think the sflow data is showing in ntop. What should I
> > try?
> > > >
> > > > Switch to the virtual NIC that the sFlow data should be reporting
> > on.
> > > > If you don't see any data, check the sFlow stats, if that shows
> > > > nothing, use tcpdump to see if any sFlow packets are arriving at
> > > > your
> > > Ntop box.
> > > >
> > > > > I can view the ntop webpage. The ntop page does show numerous
> > > > > hosts on
> > > >
> > > > > my network. I do not believe that data is accurate, because
> > > > > nothing is
> > > >
> > > > > configured to send data to ntop or sflow.
> > > >
> > > > IME Ntop captures by default on the first ethernet interface. This
>
> > > > will be what you're seeing on the web interface.
> > > >
> > > > alexd
> > > >
> > > > _______________________________________________
> > > > Ntop mailing list
> > > > Ntop [at] listgateway
> > > > http://listgateway.unipi.it/mailman/listinfo/ntop
> > > > _______________________________________________
> > > > Ntop mailing list
> > > > Ntop [at] listgateway
> > > > http://listgateway.unipi.it/mailman/listinfo/ntop
> > >
> > >
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop [at] listgateway
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop [at] listgateway
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> >
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 20, 2011, 4:12 PM

Post #13 of 30 (1478 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > Ok, I got that to work. I now have some valid sflow data saved in a dump
> > file. How do I interpret this data without using ntop so that I can
> > confirm that the correct data is being sent to the ntop server, but ntop
> > is not displaying it.
>
> Run it through sflowtool to decode the PDU's for you, look at the
> timestamps and the counter values. Subtract and divide as appropriate.

So Paul, how did your math turn-out?

rick jones

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 20, 2011, 4:19 PM

Post #14 of 30 (1479 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

I have been too busy to do the math. I recently upgraded the firewall
that this sflow data was coming from and I had to deal with fallout from
the upgrade. I am trying to find the sflow dump to do math on.

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
Sent: Friday, May 20, 2011 4:12 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > Ok, I got that to work. I now have some valid sflow data saved in a
> > dump file. How do I interpret this data without using ntop so that I

> > can confirm that the correct data is being sent to the ntop server,
> > but ntop is not displaying it.
>
> Run it through sflowtool to decode the PDU's for you, look at the
> timestamps and the counter values. Subtract and divide as
appropriate.

So Paul, how did your math turn-out?

rick jones

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 20, 2011, 4:25 PM

Post #15 of 30 (1480 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Do I perform the math on the FLOWSAMPLE or the COUNTERSAMPLE ?

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
Sent: Friday, May 20, 2011 4:12 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > Ok, I got that to work. I now have some valid sflow data saved in a
> > dump file. How do I interpret this data without using ntop so that I

> > can confirm that the correct data is being sent to the ntop server,
> > but ntop is not displaying it.
>
> Run it through sflowtool to decode the PDU's for you, look at the
> timestamps and the counter values. Subtract and divide as
appropriate.

So Paul, how did your math turn-out?

rick jones

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 20, 2011, 4:34 PM

Post #16 of 30 (1476 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

How does my math look? I divided the octet difference by 1024 and the
uptime difference by 1000.

Using CounterSample

Uptime Time Change (secs) ifInOctets Delta IN (KB?)
IfOutOctets Delta Out (KB?)
120260000 1163457887
5144474003
120320000 60 1164180771 706
5147110394 2575

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
Sent: Friday, May 20, 2011 4:12 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > Ok, I got that to work. I now have some valid sflow data saved in a
> > dump file. How do I interpret this data without using ntop so that I

> > can confirm that the correct data is being sent to the ntop server,
> > but ntop is not displaying it.
>
> Run it through sflowtool to decode the PDU's for you, look at the
> timestamps and the counter values. Subtract and divide as
appropriate.

So Paul, how did your math turn-out?

rick jones

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 20, 2011, 5:53 PM

Post #17 of 30 (1483 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Fri, 2011-05-20 at 16:25 -0700, Paul A. Spagnola wrote:
> Do I perform the math on the FLOWSAMPLE or the COUNTERSAMPLE ?

Counter.

rick

>
> -Paul
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Friday, May 20, 2011 4:12 PM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> > On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > > Ok, I got that to work. I now have some valid sflow data saved in a
> > > dump file. How do I interpret this data without using ntop so that I
>
> > > can confirm that the correct data is being sent to the ntop server,
> > > but ntop is not displaying it.
> >
> > Run it through sflowtool to decode the PDU's for you, look at the
> > timestamps and the counter values. Subtract and divide as
> appropriate.
>
> So Paul, how did your math turn-out?
>
> rick jones
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 23, 2011, 10:32 AM

Post #18 of 30 (1424 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Fri, 2011-05-20 at 16:34 -0700, Paul A. Spagnola wrote:
> How does my math look? I divided the octet difference by 1024 and the
> uptime difference by 1000.
>
> Using CounterSample
>
> Uptime Time Change (secs) ifInOctets Delta IN (KB?)
> IfOutOctets Delta Out (KB?)
> 120260000 1163457887
> 5144474003
> 120320000 60 1164180771 706
> 5147110394 2575

I'm sorry - my mailer is making a total hash of that and so I'm not sure which numbers are which.

rick

> -Paul
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Friday, May 20, 2011 4:12 PM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> > On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > > Ok, I got that to work. I now have some valid sflow data saved in a
> > > dump file. How do I interpret this data without using ntop so that I
>
> > > can confirm that the correct data is being sent to the ntop server,
> > > but ntop is not displaying it.
> >
> > Run it through sflowtool to decode the PDU's for you, look at the
> > timestamps and the counter values. Subtract and divide as
> appropriate.
>
> So Paul, how did your math turn-out?
>
> rick jones
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 24, 2011, 8:18 AM

Post #19 of 30 (1423 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Here is the math:

Uptime difference between two counters was 60 seconds.
The second ifInOctets minus the first one divided by 1024 was 706
The second IfOutOctets minus the first one divided by 1024 was 2575

Is that 706 Kbps? Or 706 KBps?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

-----Original Message-----
From: Rick Jones [mailto:rick.jones2 [at] hp]
Sent: Monday, May 23, 2011 10:33 AM
To: Paul A. Spagnola
Cc: ntop [at] unipi
Subject: RE: [Ntop] Newby having trouble with first ntop setup

On Fri, 2011-05-20 at 16:34 -0700, Paul A. Spagnola wrote:
> How does my math look? I divided the octet difference by 1024 and the
> uptime difference by 1000.
>
> Using CounterSample
>
> Uptime Time Change (secs) ifInOctets Delta IN (KB?)
> IfOutOctets Delta Out (KB?)
> 120260000 1163457887
> 5144474003
> 120320000 60 1164180771 706
> 5147110394 2575

I'm sorry - my mailer is making a total hash of that and so I'm not sure which numbers are which.

rick

> -Paul
>
> -----Original Message-----
> From: ntop-bounces [at] listgateway
> [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> Sent: Friday, May 20, 2011 4:12 PM
> To: ntop [at] unipi
> Subject: Re: [Ntop] Newby having trouble with first ntop setup
>
> On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> > On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > > Ok, I got that to work. I now have some valid sflow data saved in
> > > a dump file. How do I interpret this data without using ntop so
> > > that I
>
> > > can confirm that the correct data is being sent to the ntop
> > > server, but ntop is not displaying it.
> >
> > Run it through sflowtool to decode the PDU's for you, look at the
> > timestamps and the counter values. Subtract and divide as
> appropriate.
>
> So Paul, how did your math turn-out?
>
> rick jones
>
> _______________________________________________
> Ntop mailing list
> Ntop [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

rick.jones2 at hp

May 24, 2011, 10:51 AM

Post #20 of 30 (1421 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

On Tue, 2011-05-24 at 08:18 -0700, Paul A. Spagnola wrote:
> Here is the math:
>
> Uptime difference between two counters was 60 seconds.
> The second ifInOctets minus the first one divided by 1024 was 706
> The second IfOutOctets minus the first one divided by 1024 was 2575
>
> Is that 706 Kbps? Or 706 KBps?

Neither.

Octets are another way to say bytes. The ifOutOctets and ifInOctets
values are running counters, counting the total number of bytes through
the interface in each direction since the device started (I'm ignoring
counter wraps since in sFlow those counters are supposed to be 64 bits
wide). They are rather like the odometer on a car. It gives total
miles travelled, not rate at which one travels.

So, if you have a difference in byte count divided by a difference in
seconds, you have bytes per second.

Or, more generally, assume you have two points in time, measured in
seconds. Call them t1 and t2. There are then two "snapshots" of an
octet/byte counter. Let's call them S1 and S2.

The rate over that interval will be the difference in the counters (S2 -
S1) divided by the difference in time (t2 - t1) or

1) (S2 - S1) / (t2 - t1)

that gives you bytes per second. If you want KB per second then you
divide that entire quantity by either 1024 or 1000 depending on how much
of a "System International" (SI) bigot you are wrt the definition of
"K."

2) ((S2 - S1) / (t2 - t1)) / 1024

If you want Kbps you would take the result of equation 1, which is
bytes per second, multiply it by 8 to get bits per second, and then
divide by 1000 to get Kbps. (virtually universally, "bit rates" use
powers of ten so K == 1000).

going back through the numbers, I gather that t2 = 120320000 and t1 =
120260000 are the timestamps from the PDUs. One set of octet/byte
counts are S2 = 5147110394 and S1 = 5144474003 or 2636391 from "(S2 -
S1)", the other then S2 = 1164180771 and S1 = 1163457887 or 722884.
So, the first is 2636391/60 = 43939.85 Bytes/s or 42.91 KBytes/s (K ==
1024). The second is 722884/60 or 12048.06 Bytes/s or ~11.77 KBytes/s.

rick jones

> Paul Spagnola
> Desktop Support Manager
> IT Dept. Douglas County, Oregon
> Phone (Desk): (541) 957-4856
> Phone (Office): (541) 440-4330
> Fax: (541) 440-6129
> Email: paspagno [at] co
>
>
>
> -----Original Message-----
> From: Rick Jones [mailto:rick.jones2 [at] hp]
> Sent: Monday, May 23, 2011 10:33 AM
> To: Paul A. Spagnola
> Cc: ntop [at] unipi
> Subject: RE: [Ntop] Newby having trouble with first ntop setup
>
> On Fri, 2011-05-20 at 16:34 -0700, Paul A. Spagnola wrote:
> > How does my math look? I divided the octet difference by 1024 and the
> > uptime difference by 1000.
> >
> > Using CounterSample
> >
> > Uptime Time Change (secs) ifInOctets Delta IN (KB?)
> > IfOutOctets Delta Out (KB?)
> > 120260000 1163457887
> > 5144474003
> > 120320000 60 1164180771 706
> > 5147110394 2575
>
> I'm sorry - my mailer is making a total hash of that and so I'm not sure which numbers are which.
>
> rick
>
> > -Paul
> >
> > -----Original Message-----
> > From: ntop-bounces [at] listgateway
> > [mailto:ntop-bounces [at] listgateway] On Behalf Of Rick Jones
> > Sent: Friday, May 20, 2011 4:12 PM
> > To: ntop [at] unipi
> > Subject: Re: [Ntop] Newby having trouble with first ntop setup
> >
> > On Mon, 2011-05-09 at 15:36 -0700, Rick Jones wrote:
> > > On Mon, 2011-05-09 at 15:20 -0700, Paul A. Spagnola wrote:
> > > > Ok, I got that to work. I now have some valid sflow data saved in
> > > > a dump file. How do I interpret this data without using ntop so
> > > > that I
> >
> > > > can confirm that the correct data is being sent to the ntop
> > > > server, but ntop is not displaying it.
> > >
> > > Run it through sflowtool to decode the PDU's for you, look at the
> > > timestamps and the counter values. Subtract and divide as
> > appropriate.
> >
> > So Paul, how did your math turn-out?
> >
> > rick jones
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop [at] listgateway
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
>

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

Burton at ntopSupport

May 27, 2011, 8:08 AM

Post #21 of 30 (1379 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Paul, you never posted your ntop command line and so we can't see if you
have interface merging off and switched the view to the sFlow pseudo-device.
Otherwise you are just monitoring eth0 and seeing the very little traffic to
the ntop/cacti box itself.

Also, are you sure that both sides are using the same port? Ntop has to
listen on the port the sFlow collector is sending to. Just because you see
traffic in a promiscuous tcpdump doesn't mean ntop sees it.

----Burton
Burton Strauss III
Leadership for Software Development Organizations

Unified Messaging: +1 (646) 867-3364
Mobile: +1 (972) 822-8844
Personal E-mail: BStrauss [at] acm
Business E-Mail: Burton.Strauss-III [at] HP

http://www.linkedin.com/in/burtonstrauss

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Monday, May 09, 2011 1:26 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Ntop is receiving that data not cacti.

The interface being monitored is a firewall interface. 1GB speed, actual
traffic throughput fluctuates from 200 kbps to 400 mbps.

I am capturing samples every 60 seconds. How would I got about manual math
on two samples?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 27, 2011, 8:46 AM

Post #22 of 30 (1378 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

My ntop.conf looks like this: (if you see anything that would not allow
sflow, please tell me)

# Only show error messages
--trace-level 1

### Sets the user that ntop runs as.
### NOTE: This should not be root unless you really understand the
security risks.
--user ntop

### Sets the directory that ntop runs from.
--db-file-path /var/ntop

### Interface(s) that ntop will capture on (default: eth0)
#--interface eth0

### Configures ntop not to trust MAC addrs. This is used when port
mirroring or SPAN
#--no-mac

### Logging messages to syslog (instead of the console):
### NOTE: To log to a specific facility, use --use-syslog=local3
### NOTE: The = is REQUIRED and no spaces are permitted.
--use-syslog=local3

### Tells ntop to track only local hosts as specified by the
--local-subnets option
--track-local-hosts

### Sets the port that the HTTP webserver listens on
### NOTE: --http-server 3000 is the default
--http-server 3000

### Sets the port that the optional HTTPS webserver listens on
#--https-server 3001

### Sets the networks that ntop should consider as local.
### NOTE: Uses dotted decimal and CIDR notation. Example:
192.168.0.0/24
### The addresses of the interfaces are always local and don't
need to be specified.
#--local-subnets xx.xx.xx.xx/yy

### Sets the domain. ntop should be able to determine this
automatically.
#--domain mydomain.com

### Sets program to run as a daemon
### NOTE: For more than casual use, you probably want this.
--daemon

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Burton Strauss
III
Sent: Friday, May 27, 2011 8:09 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Paul, you never posted your ntop command line and so we can't see if you
have interface merging off and switched the view to the sFlow
pseudo-device.
Otherwise you are just monitoring eth0 and seeing the very little
traffic to the ntop/cacti box itself.

Also, are you sure that both sides are using the same port? Ntop has to
listen on the port the sFlow collector is sending to. Just because you
see traffic in a promiscuous tcpdump doesn't mean ntop sees it.

----Burton
Burton Strauss III
Leadership for Software Development Organizations

Unified Messaging: +1 (646) 867-3364
Mobile: +1 (972) 822-8844
Personal E-mail: BStrauss [at] acm
Business E-Mail: Burton.Strauss-III [at] HP

http://www.linkedin.com/in/burtonstrauss

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Monday, May 09, 2011 1:26 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Ntop is receiving that data not cacti.

The interface being monitored is a firewall interface. 1GB speed, actual
traffic throughput fluctuates from 200 kbps to 400 mbps.

I am capturing samples every 60 seconds. How would I got about manual
math on two samples?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

paspagno at co

May 27, 2011, 9:02 AM

Post #23 of 30 (1375 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

Anyone know the default password for the ntop admin area?

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Burton Strauss
III
Sent: Friday, May 27, 2011 8:09 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Paul, you never posted your ntop command line and so we can't see if you
have interface merging off and switched the view to the sFlow
pseudo-device.
Otherwise you are just monitoring eth0 and seeing the very little
traffic to
the ntop/cacti box itself.

Also, are you sure that both sides are using the same port? Ntop has to
listen on the port the sFlow collector is sending to. Just because you
see
traffic in a promiscuous tcpdump doesn't mean ntop sees it.

----Burton
Burton Strauss III
Leadership for Software Development Organizations

Unified Messaging: +1 (646) 867-3364
Mobile: +1 (972) 822-8844
Personal E-mail: BStrauss [at] acm
Business E-Mail: Burton.Strauss-III [at] HP

http://www.linkedin.com/in/burtonstrauss

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Monday, May 09, 2011 1:26 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Ntop is receiving that data not cacti.

The interface being monitored is a firewall interface. 1GB speed, actual
traffic throughput fluctuates from 200 kbps to 400 mbps.

I am capturing samples every 60 seconds. How would I got about manual
math
on two samples?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

Ggatten at waddell

May 27, 2011, 9:05 AM

Post #24 of 30 (1380 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

"admin", unless you changed it during the install.

-----Original Message-----
From: ntop-bounces [at] listgateway [mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Friday, May 27, 2011 11:02 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Anyone know the default password for the ntop admin area?

-Paul

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Burton Strauss
III
Sent: Friday, May 27, 2011 8:09 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Paul, you never posted your ntop command line and so we can't see if you
have interface merging off and switched the view to the sFlow
pseudo-device.
Otherwise you are just monitoring eth0 and seeing the very little
traffic to
the ntop/cacti box itself.

Also, are you sure that both sides are using the same port? Ntop has to
listen on the port the sFlow collector is sending to. Just because you
see
traffic in a promiscuous tcpdump doesn't mean ntop sees it.

----Burton
Burton Strauss III
Leadership for Software Development Organizations

Unified Messaging: +1 (646) 867-3364
Mobile: +1 (972) 822-8844
Personal E-mail: BStrauss [at] acm
Business E-Mail: Burton.Strauss-III [at] HP

http://www.linkedin.com/in/burtonstrauss

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Monday, May 09, 2011 1:26 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Ntop is receiving that data not cacti.

The interface being monitored is a firewall interface. 1GB speed, actual
traffic throughput fluctuates from 200 kbps to 400 mbps.

I am capturing samples every 60 seconds. How would I got about manual
math
on two samples?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

Burton at ntopSupport

May 27, 2011, 9:15 AM

Post #25 of 30 (1372 views)
Permalink

Re: Newby having trouble with first ntop setup [In reply to]

If you are having troubles, --trace-level 1 is a bad idea - it hides a lot
of the (semi)useful information nTop does spew out.

Since you don't have --interface none, you are capturing eth0 (the host's
interface, not just the sFlow data). That's not necessarily the problem, as
merge interfaces is the default, but what I don't remember (it's been a LONG
time since I looked at the code) is whether nTop will automatically merge
the sFlow data into the single interface or whether that overrides merge
interface.

So: Check the admin page and see if you can switch the NIC to the sFlow
interface.

-----Burton

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Friday, May 27, 2011 10:47 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

My ntop.conf looks like this: (if you see anything that would not allow
sflow, please tell me)

# Only show error messages
--trace-level 1

### Sets the user that ntop runs as.
### NOTE: This should not be root unless you really understand the security
risks.
--user ntop

### Sets the directory that ntop runs from.
--db-file-path /var/ntop

### Interface(s) that ntop will capture on (default: eth0) #--interface eth0

### Configures ntop not to trust MAC addrs. This is used when port
mirroring or SPAN #--no-mac

### Logging messages to syslog (instead of the console):
### NOTE: To log to a specific facility, use --use-syslog=local3 ### NOTE:
The = is REQUIRED and no spaces are permitted.
--use-syslog=local3

### Tells ntop to track only local hosts as specified by the --local-subnets
option --track-local-hosts

### Sets the port that the HTTP webserver listens on ### NOTE:
--http-server 3000 is the default --http-server 3000

### Sets the port that the optional HTTPS webserver listens on
#--https-server 3001

### Sets the networks that ntop should consider as local.
### NOTE: Uses dotted decimal and CIDR notation. Example:
192.168.0.0/24
### The addresses of the interfaces are always local and don't
need to be specified.
#--local-subnets xx.xx.xx.xx/yy

### Sets the domain. ntop should be able to determine this automatically.
#--domain mydomain.com

### Sets program to run as a daemon
### NOTE: For more than casual use, you probably want this.
--daemon

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Burton Strauss III
Sent: Friday, May 27, 2011 8:09 AM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Paul, you never posted your ntop command line and so we can't see if you
have interface merging off and switched the view to the sFlow pseudo-device.
Otherwise you are just monitoring eth0 and seeing the very little traffic to
the ntop/cacti box itself.

Also, are you sure that both sides are using the same port? Ntop has to
listen on the port the sFlow collector is sending to. Just because you see
traffic in a promiscuous tcpdump doesn't mean ntop sees it.

----Burton
Burton Strauss III
Leadership for Software Development Organizations

Unified Messaging: +1 (646) 867-3364
Mobile: +1 (972) 822-8844
Personal E-mail: BStrauss [at] acm
Business E-Mail: Burton.Strauss-III [at] HP

http://www.linkedin.com/in/burtonstrauss

-----Original Message-----
From: ntop-bounces [at] listgateway
[mailto:ntop-bounces [at] listgateway] On Behalf Of Paul A. Spagnola
Sent: Monday, May 09, 2011 1:26 PM
To: ntop [at] unipi
Subject: Re: [Ntop] Newby having trouble with first ntop setup

Ntop is receiving that data not cacti.

The interface being monitored is a firewall interface. 1GB speed, actual
traffic throughput fluctuates from 200 kbps to 400 mbps.

I am capturing samples every 60 seconds. How would I got about manual math
on two samples?

Paul Spagnola
Desktop Support Manager
IT Dept. Douglas County, Oregon
Phone (Desk): (541) 957-4856
Phone (Office): (541) 440-4330
Fax: (541) 440-6129
Email: paspagno [at] co

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop

1 2

View All

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads