[Ntop] ntop stops updating when using NetFlow - problemparsingNetFlow v9?

Gary Gatten Ggatten at waddell.com
Thu May 24 17:05:50 CEST 2007 

Sorry, I'm also still running 3.2.1 and although libpcap isn't seeing
any traffic I do have it running.  I was using it to see any diffs
between what netflow and lipcap interfaces report and any features
lacking in one over the other.

G


-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Thursday, May 24, 2007 9:54 AM
To: ntop at unipi.it
Subject: RE: [Ntop] ntop stops updating when using NetFlow -
problemparsingNetFlow v9?

I use netflow for pretty much everything, but haven't seen this on BSD.
Maybe try using v5 flows - and make sure it's v5 on both ends.  I doubt
it will do anything, but most people are using v5 so maybe there's an
unknown issue with the v9 format.

Gary


-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
johnl at blurbco.com
Sent: Thursday, May 24, 2007 9:48 AM
To: ntop at unipi.it
Subject: [Ntop] ntop stops updating when using NetFlow - problem
parsingNetFlow v9?

Greetings,

I am using ntop 3.2 on debian (package version 3.2-10) with the NetFlow
plugin receiving v9 flows from a Cisco 2800 series router.  The NetFlow
interface is the only configured interface in ntop; there is no pcap
interface. Everything works great, but only for a few hours (The
duration
between breakage does not seem to be fixed).

After the problem occurs, accessing ntop via the web interface works
fine,
but all statistics are blank and nothing updates. I have verified the
router
is sending the flows and the ntop machine is receiving the packets using
tcpdump. Ntop is still listening on the correct port to receive them
according to netstat -l -p.

Viewing the NetFlow plugin statistics page reveals statistics that if
correct (which they aren't) would be alarming:

Flow Senders 	192.168.XXX.XXX [1,622 pkts]
 
Number of Packets Received 	1,622
Number of Packets with Bad Version 	0
Number of Packets Processed 	1,622
Number of Valid Flows Received 	2,179,991,226
Average Number of Flows per Packet 	40058.6
Number of V1 Flows Received 	0
Number of V5 Flows Received 	0
Number of V7 Flows Received 	0
Number of V9 Flows Received 	2,179,976,669
Total V9 Templates Received 	362
Number of Bad V9 Templates Received 	58
Number of V9 Flows with Unknown Templates Received 	1,844
 
Discarded Flows
Number of Flows with Zero Packet Count 	2,179,963,863
Number of Flows with Zero Byte Count 	0
Number of Flows with Bad Data 	0
Number of Flows with Unknown Template 	1,844
Total Number of Flows Processed 	27,362

The counter for number of flows received increases whether or not
netflow
packets are actually arriving. The counter is incrementing by
approximately
10 million per second. The packets processed counter never increments.
When
valid netflow packets do actually arrive, the packets received counter
which
would normally increment does not.

Restarting ntop brings everything back to normal. I am unsure whether or
not
I could reliably capture the specific packet which might be causing this
problem, but I thought I'd ask the list for advice first. At the very
least
it seems there is some kind of denial of service potential in the
netflow
collector's processing.

Thanks,
John Laur

_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

========================================================================
===





"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

===========================================================================





"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

More information about the Ntop mailing list