[Ntop] Problem Sending NetFlow Traces

Hermano Toscano Moura toscano_moura at hotmail.com
Thu Aug 4 20:12:26 CEST 2005 

I just edit the queue...

#define MAX_NUM_QUEUED_ADDRESSES          102400000

Now im sending a 8Mb Trace and the problem is the same!

<html><div><H3 align=center><FONT color=#ff0000>Hermano José Toscano Moura 
Filho</FONT><IMG height=2 src="http://graphics.hotmail.com/greypixel.gif" 
width="100%" vspace=9><FONT color=#0000cc>UFPB: </FONT>Aluno de 
graduação(Computação)<FONT color=#0000cc>CEFET-PB:</FONT> Aluno de 
graduação(Telemática)<FONT color=#0000cc>RNP:</FONT> Estagiário(GT-P2P)<IMG 
height=2 src="http://graphics.hotmail.com/greypixel.gif" width="100%" 
vspace=9></H3></div></html>

<br><br><br>&gt;From: &quot;Burton Strauss&quot; 
&lt;Burton at ntopSupport.com&gt;<br>&gt;Reply-To: ntop at unipi.it<br>&gt;To: 
&lt;ntop at Unipi.IT&gt;<br>&gt;Subject: RE: [Ntop] Problem Sending NetFlow 
Traces<br>&gt;Date: Thu, 4 Aug 2005 11:28:08 -0500<br>&gt;<br>&gt;Address 
resolution takes time -- give it a try, using dig or nslookup 
-<br>&gt;you'll be surprised.<br>&gt;<br>&gt;That's why it's in a separate 
thread, fed by a queue.  The queue is (by<br>&gt;default) 4K.  When the 
queue fills up, ntop just stops queuing addresses and<br>&gt;keeps them in 
numeric form.  As the queue gets emptied, ntop can accept<br>&gt;additional 
addresses to resolve.  In packet capture mode, you'll eventually<br>&gt;see 
other packets from those hosts and everything gets 
resolved.<br>&gt;<br>&gt;When you send a huge file, ntop gets hit with all 
those addresses at once to<br>&gt;resolve.  This overflows the queue and 
some don't get resolved.<br>&gt;<br>&gt;You can try sending the file in 
smaller chunks, or you could edit the queue<br>&gt;size in globals-defines.h 
and 
recompile.<br>&gt;<br>&gt;-----Burton<br>&gt;<br>&gt;<br>&gt;<br>&gt;-----Original 
Message-----<br>&gt;From: ntop-bounces at unipi.it 
[mailto:ntop-bounces at unipi.it] On Behalf Of<br>&gt;Hermano Toscano 
Moura<br>&gt;Sent: Thursday, August 04, 2005 10:54 AM<br>&gt;To: 
ntop at Unipi.IT<br>&gt;Subject: [Ntop] Problem Sending NetFlow 
Traces<br>&gt;<br>&gt;Hi There...<br>&gt;<br>&gt;I'm sending a netflow trace 
to Ntop like this:<br>&gt;<br>&gt;flow-cat /home/hermano/gt/netflow | 
flow-send -dV5 0/127.0.0.1/5555<br>&gt;<br>&gt;The file that Im sending  has 
around 480Mb...<br>&gt;But the results are not the expected, I think ntop is 
not processing all the<br>&gt;information of this trace...<br>&gt;The 
following messages appears:<br>&gt;<br>&gt;**WARNING** Address resolution 
queue is full [4096 slots] Addresses in<br>&gt;excess won't be resolved - 
ntop continues<br>&gt;<br>&gt;My questions are...<br>&gt;Why ntop cant 
process all the file? I think 480Mb is not a too large 
trace<br>&gt;file...<br>&gt;Can I fix this problem?<br>&gt;If I send pieces 
of this trace(like 48 files of 10Mb), i solve my 
problem?<br>&gt;<br>&gt;Thanks evrybody in advance and sorry about my poor 
english!<br>&gt;<br>&gt;Hermano 
Toscano<br>&gt;<br>&gt;<br>&gt;_______________________________________________<br>&gt;Ntop 
mailing 
list<br>&gt;Ntop at unipi.it<br>&gt;http://listgateway.unipi.it/mailman/listinfo/ntop<br>&gt;<br>&gt;_______________________________________________<br>&gt;Ntop 
mailing 
list<br>&gt;Ntop at unipi.it<br>&gt;http://listgateway.unipi.it/mailman/listinfo/ntop<br>

More information about the Ntop mailing list