[Ntop] total traffic understanding - chart and table Discrepancies

Redder,Greg Greg.Redder at ColoState.EDU
Wed Feb 27 23:18:43 CET 2008 

Gary, Fernando, NTOP folks,

I've been noticing some similar discrepancies in the network throughput tables that are either a misunderstanding on my part or inaccuracy on the ntop part.  It's important to note that my ntop boxes run on flow data and not sniffing the actual port.  I'm running ntop 3.2 on Fedora Core 6 boxes.

I have another snmp tool (Cricket) that polls our router's physical interface every 1 minute and graphs the input and output bits/sec and I have experience that shows this tool is highly accurate.  Last week, I noticed that one of the networks was at 90+Mbits/sec for over an hour.  However, the ntop throughput graph for that same network list quite a different number.  The network throughput graph in ntop listed a current throughput of 41.2M and an average of 46.6M.   I've attached the graphs as reference.

If the 41.2M means megabytes  and there is a line for every 30 seconds on the 10 Minute graph, that means 41.2Megabytes went through in 30 seconds which equals 11Mbits/sec.

Now, if the 41.2 is Megabits/sec, that's wrong too when I have a host pumping 90Mbits one way into the link.  My load should be 90Mbits/sec plus whatever else is going in/out the link.

Maybe this is a problem with me using flowdata, but I have other ntop probes that sit "in-line" on the links they analyze and they are not accurate either.

Maybe I'm just not interpreting the graphs properly and maybe there's something I can do to help figure this out???

Thank you --Greg Redder
                Network Analyst
                Colorado State University

-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Gary Gatten
Sent: Wednesday, February 27, 2008 2:42 PM
To: ntop at unipi.it
Subject: Re: [Ntop] total traffic understanding - chart and table Discrepancies

I am now noticing a very similar instance to yours in "Global Protocol Distribution".  I have 88.7% TCP, 3.1% UDP 0% ICMP.  These percentages are accurate given the values:  Total IP is 9.6GB; TCP is 8.5GB; UDP is 303.3MB, ICMP is 1.3MB.  So, there's about 800MB worth of "other" data that's not accounted for which would also equal the missing 8%.



-----Original Message-----
From: Gary Gatten
Sent: Wednesday, February 27, 2008 3:14 PM
To: 'ntop at unipi.it'
Subject: RE: [Ntop] total traffic understanding - chart and table Discrepancies

Unfortunately I can't answer your specific question.  I'd say rounding error, but your values are too far apart for that.

I have some similar type issues as well.  For example, the rrd data available with historical views isn't even close to the real-time and more accurate data.  Also, some of the counters within rrd contradict themselves.

My Summary Traffic says I have 99.9% unicast in the table, but the pie chart color tells me I have 99.9% MULTICAST.

There are a number of other anomalies that I can't recall right now.  I haven't spent as much time in the nTop GUI lately.

I wish I could remember all the issues more accurately.  I guess if it starts bothering me I'll setup a QA instance where I generate known volumes of traffic to predetermined hosts and make sure it's accounted for correctly.  Until then I'm not sure what to do...

Gary


-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Fernando Yamada
Sent: Wednesday, February 27, 2008 8:13 AM
To: ntop at unipi.it
Subject: [Ntop] total traffic understanding

Hello,

I'm having difficulties trying to understand total traffic sums on ntop.

For example, in "Global protocol distribution" I have a total of 2.4 GB
(99.9%) of IP traffic. Inside this IP traffic I have 2.1 GB (87.8%) of TCP, 80.7 MB (3.3%) and ICMP/IGMP/Other IP, accouting 0% each.
Why doesn't the sum match? 87.8% + 3.3% does not equal to 99.9%

Also, on traffic directions -> Remote to Local IP, the Total Traffic does not match any other total.

I've search in the documentation about these issues with no success. If anyone can explain to me or indicate me something to read about, I'd appreciate.

Thanks in advance and regards,
--
Fernando Yamada
Via IP Soluções para Internet Ltda
+55 48 2106-6161
e-mail: suporte2 at viaip.com.br
MSN: suporte2 at viaip.com.br
Skype: suporte2viaip
_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient  and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that  any review, use, dissemination, disclosure or copying of this email  and its attachments, if any, is strictly prohibited.  If you have  received this email in error, please immediately notify the sender by  return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cricket.png
Type: image/png
Size: 32312 bytes
Desc: cricket.png
Url : http://listgateway.unipi.it/pipermail/ntop/attachments/20080227/8e643057/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntop.png
Type: image/png
Size: 3878 bytes
Desc: ntop.png
Url : http://listgateway.unipi.it/pipermail/ntop/attachments/20080227/8e643057/attachment-0003.png

More information about the Ntop mailing list