[Ntop-misc] source and destination stats switched?
bc547
bc547 at kuleuven.net
Thu Sep 23 11:44:48 CEST 2010
Luca,
> Emitting Flow: [->][tcp]
> 10.0.8.23:40777 -> 193.190.67.15:80
> [15640/11612 pkt][67789181/743353> bytes][52.0 sec] [VLAN 32]
> Emitting Flow: [<-][tcp]
> 193.190.67.15:80 -> 10.0.8.23:40777
> [11612 pkt/743353 bytes][52.0 se
>
>
> so you should see two flows, one per direction. This is because v5 does
> not support the concept of bydirectional flows. Note that even on a TCP
> connection from a->b there are packets in the reverse direction.
Indeed. On our collector server I see 2 separate flows for that connection:
SrcIPaddress SrcP DstIPaddress DstP P Pkts Octets
10.0.8.23 40777 193.190.67.15 80 6 15640 67789181
193.190.67.15 80 10.0.8.23 40777 6 11612 743353
However, the logs above tell that the client (10.0.8.23) has sent 67MB to
the webserver (193.190.67.15). In reality I downloaded a file of 67MB from
the webserver. So according to me, it seems the counters are switched.
If I use our old nProbe v4.0 software, I get:
[engine.c: 668] Emitting Flow: [TCP] 10.0.8.23:60946 -> 193.190.67.15:80
[9854/6879 pkt][453483/24830747 bytes] [N: 5.75 ms] [A: 21.47 ms]
[engine.c: 677] Emitting Flow: [TCP] 193.190.67.15:80 -> 10.0.8.23:60946
[6879 pkt/24830747 bytes] [N: 5.75 ms]
(This time it was a file of 24MB). With this version of nProbe, I get
correct results on our collector server:
SrcIPaddress SrcP DstIPaddress DstP P Pkts Octets
10.0.8.23 60946 193.190.67.15 80 6 9854 453483
193.190.67.15 80 10.0.8.23 60946 6 6879 24830747
Comparing both old and new nprobe logs, the counters appear to be switched
around in the new version:
[15640/11612 pkt][67789181/743353 bytes]
versus
[9854/6879 pkt][453483/24830747 bytes]
Kind regards,
Dirk
More information about the Ntop-misc
mailing list