[Ntop] Ntop as a sensor/monitor -C and question on libpcap drops

Jon Schipp jonschipp at gmail.com
Tue Sep 13 21:16:16 CEST 2011 

Hello all,

I have a machine that acts as a monitoring device/sensor on my network, it
has 6 NIC's and receives copies of data from my switches via monitor ports.
ntop collects traffic for each interface from various network segments and I
have it set up with -m to avoid aggregation, which is very nice.

In this particular scenario, should I be using the -C option as well.
Though, the machine isn't a router. Is that what is meant by "traffic
exchange" in the manual.
That's where I'm becoming confused:

"Using ntop in network mode is extremely useful when installed in a traffic
exchange (e.g.
  in the middle of the Internet) whereas the host mode should be used when
ntop is installed on the edge of a network"

The sensor is located on our LAN.

Also, I on the traffic reports page of a particular interface where it
says:

Dropped (libpcap): 0.0% 0
Dropped (ntop): 0.0% 0

If the kernel drops packets will that increment the libpcap "dropped"
counter? Or is that something different? Is there a correlation between
kernel and libpcap drops?
Can a kernel drop packets without notifying libpcap and thus having ntop
cease to report it. Tcpdump uses libpcap and reports "dropped by kernel"
after a capture. As of now,
I'm presuming that the "dropped by kernel" amount is the "dropped (libpcap)"
amount and that libpcap is just getting the number(amount) from the kernel
through a bpf function or something.

Please correct me if I'm wrong.
Thanks!
-- 
- Jon
-- 
------------------------------------------------------------------

VMB: 812-682-0231

Dubois County Linux User Group - http://www.dclinux.org
Southern Indiana Computer Klub - http://sickbits.networklabs.org
Bloomington FOOLS - http://www.bloomingtonfools.org/
BloomingLabs -  http://www.bloominglabs.org
ISSA-Kentuckiana  -  http://issa-kentuckiana.org

GPG Key ID: 810903CB
Key fingerprint = 0069 ED69 EABB DF84 5983  AD3C 6C20 BEFD 8109 03CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listgateway.unipi.it/pipermail/ntop/attachments/20110913/bfc45718/attachment.htm>

More information about the Ntop mailing list