emanuele-f
commented
6 years ago I, please post your ntopng (and nprobe ?) configuration
Closed ucakmakci closed 6 years ago
emanuele-f
commented
6 years ago I, please post your ntopng (and nprobe ?) configuration
ucakmakci
commented
6 years ago Hi,
Here is my config. We only gather flow data.
--interface=tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 --pid-path=/var/tmp/ntopng.pid --daemon --interface=ens160 --http-port=3000 --dns-mode=1 --data-dir=/var/tmp/ntopng --disable-autologout --enable-flow-activity --max-num-flows=1310720 --disable-login --community --local-networks="10.249.23.0/24,10.249.23.0/24,
emanuele-f
commented
6 years ago The local-networks contains a typo, it should be
--local-networks="10.249.23.0/24,10.249.23.0/24"
Moreover, you are capturing from a local interface "ens160", not only the flow data.
What's your nprobe configuration?
ucakmakci
commented
6 years ago It's a typing mistake. Sorry I have 2 server ntop server and nprobe server. Nprobe port 6343 and 9999 gather flow data send ntopng.
--interface=tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 --pid-path=/var/tmp/ntopng.pid --daemon --interface=ens160 --http-port=3000 --dns-mode=1 --data-dir=/var/tmp/ntopng --disable-autologout --enable-flow-activity --max-num-flows=1310720 --disable-login --community --local-networks="10.249.23.0/24,10.249.24.0/24, ###many local network (more than 100)
-g=/var/tmp/nprobe-none_1.pid --zmq="tcp://*:5556" --collector-port=6343 -n=none
-i=none
-g=/var/tmp/nprobe-none_2.pid --zmq="tcp://*:5557" --collector-port=9999 -n=none
-i=none
This setting is valid. I'm not sure exactly
Last log trace
-- Logs begin at Fri 2017-12-22 17:40:15 +03, end at Sat 2017-12-23 00:30:01 +03. -- Dec 22 17:42:14 ntopng systemd[1]: Starting ntopng high-speed web-based traffic monitoring and analysis tool... Dec 22 17:42:14 ntopng systemd[1]: Started ntopng high-speed web-based traffic monitoring and analysis tool. Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [Prefs.cpp:951] Localhost HTTP user login disabled Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [Ntop.cpp:1485] Setting local networks to 10.73.231.0/24,10.73.232.0/24,10.73.233.0/24,10.73.234.0/24,10.2 Dec 22 17:42:14 ntopng ntopng[1575]: [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored 10.158.245.0/24 Dec 22 17:42:14 ntopng ntopng[1575]: .0/24,10.158.121.0/24,10.158.122.0/24,10.158.123.0/24,10.158.124.0/24,10.158.125.0/24,10.158.126.0/24,10.158.127.0/24,10.158.128.0/ Dec 22 17:42:14 ntopng ntopng[1575]: [NtopPro.cpp:300] WARNING: [LICENSE] Invalid or missing license Dec 22 17:42:14 ntopng ntopng[1575]: .0/24,10.158.249.0/24,10.158.250.0/24,10.158 Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored 10.158.245.0/24 Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [Redis.cpp:111] Successfully connected to redis 127.0.0.1:6379@0 Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [Redis.cpp:111] Successfully connected to redis 127.0.0.1:6379@0 Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:221] [LICENSE] Reading license from Redis Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:300] WARNING: [LICENSE] Invalid or missing license Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:317] WARNING: [LICENSE] ntopng will now run in enterprise edition for 10 minutes Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:319] WARNING: [LICENSE] before returning to community mode Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:321] WARNING: [LICENSE] You can buy a permanent license at http://shop.ntop.org Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:323] WARNING: [LICENSE] or run ntopng in community mode starting Dec 22 17:42:14 ntopng ntopng[1575]: 22/Dec/2017 17:42:14 [NtopPro.cpp:324] WARNING: [LICENSE] ntopng --community Dec 22 17:42:14 ntopng ntopng[1575]: [NtopPro.cpp:317] WARNING: [LICENSE] ntopng will now run in enterprise edition for 10 minutes Dec 22 17:42:14 ntopng ntopng[1575]: [NtopPro.cpp:319] WARNING: [LICENSE] before returning to community mode Dec 22 17:42:14 ntopng ntopng[1575]: [NtopPro.cpp:321] WARNING: [LICENSE] You can buy a permanent license at http://shop.ntop.org Dec 22 17:42:14 ntopng ntopng[1575]: [NtopPro.cpp:323] WARNING: [LICENSE] or run ntopng in community mode starting Dec 22 17:42:14 ntopng ntopng[1575]: [NtopPro.cpp:324] WARNING: [LICENSE] ntopng --community Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [PF_RINGInterface.cpp:53] Reading packets from PF_RING v.7.1.0 interface ens160... Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [NetworkInterface.cpp:395] ERROR: Unknown aggregation value for interface PF_RING [rsp: ingress_iface_idx] Dec 22 17:42:17 ntopng ntopng[1575]: [NetworkInterface.cpp:395] ERROR: Unknown aggregation value for interface PF_RING [rsp: ingress_iface_idx] Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:1612] Registered interface ens160 [id: 1] Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [id: 5] Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [main.cpp:301] PID stored in file /var/run/ntopng.pid Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [HTTPserver.cpp:841] Please read https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [HTTPserver.cpp:891] HTTP logs will be stored on /var/tmp/ntopng/ntopng_access.log Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Utils.cpp:457] User changed to nobody Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [HTTPserver.cpp:912] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [HTTPserver.cpp:915] HTTP server listening on port(s) 3000 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [main.cpp:383] Working directory: /var/tmp/ntopng Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [main.cpp:385] Scripts/HTML pages directory: /usr/share/ntopng Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:385] Welcome to ntopng x86_64 v.3.3.171205 - (C) 1998-17 ntop.org Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:395] Built on CentOS Linux release 7.4.1708 (Core) Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [NtopPro.cpp:464] [LICENSE] System Id: xxxxxxxxxxxxxxxxxxxx Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [NtopPro.cpp:465] [LICENSE] Edition: Enterprise Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [NtopPro.cpp:466] [LICENSE] License Type: Demo License Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [NtopPro.cpp:475] [LICENSE] Validity: Until Fri Dec 22 17:52:14 2017 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:677] Adding 10.20.30.200/32 as IPv4 interface address for ens160 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:685] Adding 10.20.30.0/24 as IPv4 local network for ens160 Dec 22 17:42:17 ntopng ntopng[1575]: [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored 10.20.30.0/24 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored 10.20.30.0/24 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:704] Adding fe80::ed25:4439:b08c:73f7/128 as IPv6 interface address for ens160 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [Ntop.cpp:713] Adding fe80::ed25:4439:b08c:73f7/64 as IPv6 local network for ens160 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored fe80::ed25:4439:b08c:73f7/64 Dec 22 17:42:17 ntopng ntopng[1575]: [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored fe80::ed25:4439:b08c:73f7/64 Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [PeriodicActivities.cpp:59] Started periodic activities loop... Dec 22 17:42:18 ntopng ntopng[1575]: 22/Dec/2017 17:42:18 [PeriodicActivities.cpp:100] Each periodic activity script will use 2 threads Dec 22 17:42:17 ntopng ntopng[1575]: 22/Dec/2017 17:42:17 [PeriodicActivities.cpp:59] Started periodic activities loop... Dec 22 17:42:18 ntopng ntopng[1575]: 22/Dec/2017 17:42:18 [PeriodicActivities.cpp:100] Each periodic activity script will use 2 threads Dec 22 17:42:18 ntopng ntopng[1575]: 22/Dec/2017 17:42:18 [NetworkInterface.cpp:2326] Started packet polling on interface ens160 [id: 1]... Dec 22 17:42:18 ntopng ntopng[1575]: 22/Dec/2017 17:42:18 [NetworkInterface.cpp:2326] Started packet polling on interface tcp://10.20.30.201:5556,tcp://10.20.30.201:555 Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [CollectorInterface.cpp:122] Collecting flows on tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 625] [id: 10] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 623] [id: 24] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 695] [id: 35] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 1121] [id: 6] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 596] [id: 8] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 555] [id: 13] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 729] [id: 23] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 701] [id: 74] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 0] [id: 31] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 1094] [id: 32] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 624] [id: 25] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 594] [id: 47] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 616] [id: 17] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 518] [id: 40] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 512] [id: 9] Dec 22 17:42:19 ntopng ntopng[1575]: 22/Dec/2017 17:42:19 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 509] [id: 20] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 532] [id: 14] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 516] [id: 37] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 513] [id: 36] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 511] [id: 18] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 621] [id: 45] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 515] [id: 15] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 510] [id: 16] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 529] [id: 62] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 517] [id: 27] Dec 22 17:42:20 ntopng ntopng[1575]: 22/Dec/2017 17:42:20 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 514] [id: 39] Dec 22 17:42:21 ntopng ntopng[1575]: 22/Dec/2017 17:42:21 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 534] [id: 38] Dec 22 17:42:21 ntopng ntopng[1575]: 22/Dec/2017 17:42:21 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 530] [id: 11] Dec 22 17:42:21 ntopng ntopng[1575]: 22/Dec/2017 17:42:21 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 519] [id: 7] Dec 22 17:42:21 ntopng ntopng[1575]: 22/Dec/2017 17:42:21 [Ntop.cpp:1612] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [If Idx: 501] [id: 26] Dec 22 17:42:21 ntopng ntopng[1575]: 22/Dec/2017 17:42:21 [Ntop.cpp:1619] ERROR: Too many interfaces defined Dec 22 17:42:21 ntopng ntopng[1575]: [Ntop.cpp:1619] ERROR: Too many interfaces defined Dec 22 17:42:21 ntopng ntopng[1575]: 22/Dec/2017 17:42:21 [NetworkInterface.cpp:1204] WARNING: A flow has been seen from multiple exporters or from multiple IN/OUT inte Dec 22 17:42:21 ntopng ntopng[1575]: [NetworkInterface.cpp:1204] WARNING: A flow has been seen from multiple exporters or from multiple IN/OUT interfaces. Check exporte Dec 22 17:45:10 ntopng ntopng[1575]: 22/Dec/2017 17:45:10 [Lua.cpp:6356] Cannot dump 10.158.212.6 SNMP device statistics: no time left Dec 22 17:50:10 ntopng ntopng[1575]: 22/Dec/2017 17:50:10 [Lua.cpp:6356] Cannot dump 10.158.212.6 SNMP device statistics: no time left Dec 22 19:54:58 ntopng ntopng[1575]: 22/Dec/2017 19:54:58 [ParserInterface.cpp:604] WARNING: Invalid message received: your nProbe sender is outdated, data encrypted, i Dec 22 19:54:58 ntopng ntopng[1575]: [ParserInterface.cpp:604] WARNING: Invalid message received: your nProbe sender is outdated, data encrypted, invalid JSON, or oom? Dec 22 19:54:58 ntopng ntopng[1575]: 22/Dec/2017 19:54:58 [ParserInterface.cpp:607] WARNING: JSON Parse error [unexpected end of data] payload size: 447 payload: { "ifa Dec 22 19:54:58 ntopng ntopng[1575]: [ParserInterface.cpp:607] WARNING: JSON Parse error [unexpected end of data] payload size: 447 payload: { "iface": { "name": "none"
ucakmakci
commented
6 years ago can you help me
emanuele-f
commented
6 years ago Hi, there are many errors in the log:
JSON Parse error [unexpected end of data] payload size: 447 payload: { "ifa
Please update to the latest ntopng and nprobe version both your servers
ERROR: Too many interfaces defined
You are disaggregating based on the Netflow ingress interface. Ntopng will create a virtual interface for each Netflow ingress interface, but you have too many. Do you really need this?
ERROR: Too many networks defined (255): ignored fe80::ed25:4439:b08c:73f7/64
You have too many local networks. Do you really need a per-network view of every single network? If so, please consider running two separate ntopng instances.
WARNING: [LICENSE] ntopng will now run in enterprise edition for 10 minutes
If you don't need the ntopng pro features (requires a licence) you can add --community to your ntopng options.
Do you really need to capture flows from your system interface ens160? You say that you have a 8mbit bandwidth, is this your internet speed? If so, are you capturing flows at the internet bounds of your network?
ucakmakci
commented
6 years ago Hello, First thank you for you help
Please update to the latest ntopng and nprobe version both your servers
We update the nptong to 3.3.171226-3774.x86_64 and errors are gone.
You are disaggregating based on the Netflow ingress interface. Ntopng will create a virtual interface for each Netflow ingress interface, but you have too many. Do you really need this?
We made disaggregating to none but we dont know the difference actually. We cant decide which one to choose.
You have too many local networks. Do you really need a per-network view of every single network? If so, please consider running two separate ntopng instances.
The reason of this is we want to monitor networks throughput and traffic of all branches we have. Is there any other way or best practice to monitor throughput and traffic?
If you don't need the ntopng pro features (requires a licence) you can add --community to your ntopng options.
We add the --community parameter.
Do you really need to capture flows from your system interface ens160? You say that you have a 8mbit bandwidth, is this your internet speed? If so, are you capturing flows at the internet bounds of your network?
We remove ens160 and it is now 8mbit but sometimes it peaks to abnormal numbers we are not sure if it is okay.
One of our main concern is this about is top senders and receivers.
They are exactly same each other and doesn't give any info about the graph on left. Even It gives same data on every branch graph too.
Last log off this command is below.
__journalctl -u ntopng__
Dec 26 14:53:45 ntopng systemd[1]: Stopping ntopng high-speed web-based traffic monitoring and analysis tool... Dec 26 14:53:45 ntopng ntopng[11197]: 26/Dec/2017 14:53:45 [main.cpp:46] Shutting down... Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [ProtoStats.cpp:35] [IPv4] 622.86 GB/1063.55 M Packets Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [ProtoStats.cpp:35] [IPv6] 0 B/0.00 Packets Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [ProtoStats.cpp:35] [ARP] 0 B/0.00 Packets Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [ProtoStats.cpp:35] [MPLS] 0 B/0.00 Packets Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [ProtoStats.cpp:35] [Other] 0 B/0.00 Packets Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [Ntop.cpp:1660] Interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [running: 0] Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [main.cpp:65] Deleted PID /var/run/ntopng.pid: [rc: -1][Permission denied] Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [HTTPserver.cpp:929] HTTP server terminated Dec 26 14:53:47 ntopng ntopng[11197]: 26/Dec/2017 14:53:47 [NetworkInterface.cpp:616] Flushing host contacts for interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 Dec 26 14:53:49 ntopng ntopng[11197]: 26/Dec/2017 14:53:49 [NetworkInterface.cpp:2353] Cleanup interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 Dec 26 14:53:59 ntopng ntopng[11197]: 26/Dec/2017 14:53:59 [AddressResolution.cpp:61] Address resolution stats [1037 resolved][690 failures] Dec 26 14:53:59 ntopng systemd[1]: Starting ntopng high-speed web-based traffic monitoring and analysis tool... Dec 26 14:53:59 ntopng systemd[1]: Started ntopng high-speed web-based traffic monitoring and analysis tool. Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Prefs.cpp:960] Localhost HTTP user login disabled Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Ntop.cpp:1486] Setting local networks to 10.199.231.0/24,10.199.232.0/24,10.199.233.0/24,10.199.234.0/24,10.199.235.0/24,10.199.236.0/24,10.199.237.0/24,10.199.237.0/24,10.199.2 Dec 26 14:53:59 ntopng ntopng[11271]: [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored 10.187.245.0/24 Dec 26 14:53:59 ntopng ntopng[11271]: .0/24,10.187.121.0/24,10.187.122.0/24,10.187.123.0/24,10.187.124.0/24,10.187.125.0/24,10.187.126.0/24,10.187.127.0/24,10.187.128.0/24,10.187.129.0/24,10.187.130.0/24,10.187.131.0/24,10.187.132.0/24,1 Dec 26 14:53:59 ntopng ntopng[11271]: .0/24,10.187.249.0/24,10.187.250.0/24,10.187 Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [AddressList.cpp:37] ERROR: Too many networks defined (255): ignored 10.187.245.0/24 Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Redis.cpp:115] Successfully connected to redis 127.0.0.1:6379@0 Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Redis.cpp:115] Successfully connected to redis 127.0.0.1:6379@0 Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Ntop.cpp:1613] Registered interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [id: 5] Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [main.cpp:301] PID stored in file /var/run/ntopng.pid Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [HTTPserver.cpp:841] Please read https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable SSL. Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [HTTPserver.cpp:891] HTTP logs will be stored on /var/tmp/ntopng/ntopng_access.log Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Utils.cpp:469] User changed to nobody Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [HTTPserver.cpp:912] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [HTTPserver.cpp:915] HTTP server listening on port(s) 3000 Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [main.cpp:383] Working directory: /var/tmp/ntopng Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [main.cpp:385] Scripts/HTML pages directory: /usr/share/ntopng Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Ntop.cpp:385] Welcome to ntopng x86_64 v.3.3.171226 - (C) 1998-17 ntop.org Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [Ntop.cpp:395] Built on CentOS Linux release 7.4.1708 (Core) Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [PeriodicActivities.cpp:59] Started periodic activities loop... Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [PeriodicActivities.cpp:104] Each periodic activity script will use 2 threads Dec 26 14:53:59 ntopng ntopng[11271]: 26/Dec/2017 14:53:59 [NetworkInterface.cpp:2326] Started packet polling on interface tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 [id: 5]... Dec 26 14:54:00 ntopng ntopng[11271]: 26/Dec/2017 14:54:00 [CollectorInterface.cpp:122] Collecting flows on tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 Dec 26 14:54:00 ntopng ntopng[11271]: 26/Dec/2017 14:54:00 [NetworkInterface.cpp:1204] WARNING: A flow has been seen from multiple exporters or from multiple IN/OUT interfaces. Check exporters configuration. Dec 26 14:54:00 ntopng ntopng[11271]: [NetworkInterface.cpp:1204] WARNING: A flow has been seen from multiple exporters or from multiple IN/OUT interfaces. Check exporters configuration.
emanuele-f
commented
6 years ago We made disaggregating to none but we dont know the difference actually. We cant decide which one to choose.
None is the correct option if you don't need a per remote interface detail of the traffic.
The reason of this is we want to monitor networks throughput and traffic of all branches we have. Is there any other way or best practice to monitor throughput and traffic?
You can define a more general network e.g. --local-networks="10.249.0.0/16" to include many of your actual networks. Ntopng will see those networks as a whole.
We remove ens160 and it is now 8mbit but sometimes it peaks to abnormal numbers we are not sure if it is okay.
The accuracy of the graph may depend on your Netflow exporter settings. Maybe the exporter is caching flows before exporting them to nprobe, so you get a bunch of flows all at once on ntopng. @simonemainardi what do you think about this?
One of our main concern is this about is top senders and receivers. They are exactly same each other and doesn't give any info about the graph on left. Even It gives same data on every branch graph too.
If you go into the flows view, do you get proper client/server breakdown on the flows or the flows are all client/all server only traffic? If you select other ntopng interfaces (from the interfaces menu), and look at the charts, can you see a chart where the interface traffic corresponds to the top talker values?
ucakmakci
commented
6 years ago None is the correct option if you don't need a per remote interface detail of the traffic.
So we changed it to None but we don't really understand the detail of traffic means.
You can define a more general network e.g. --local-networks="10.249.0.0/16" to include many of your actual networks. Ntopng will see those networks as a whole.
We made this change but we realized that they are much general than we needed. We have a bit more distributed network. The networks we gave were each for a single branch. We want to monitor these branches network in detail not the all branches at once. After we did this change we cant monitor for a single branch network. We only monitor all branches in single network. For example 10.249.0.0/16 Think this is our all branches network and "10.249.1.0/24" one of our branch. We want to monitor the latest one as a group. Is it possible with the current config we just did or should we revert back?
The accuracy of the graph may depend on your Netflow exporter settings. Maybe the exporter is caching flows before exporting them to nprobe, so you get a bunch of flows all at once on ntopng. @simonemainardi what do you think about this?
Is there anything we can do/check about it?
If you go into the flows view, do you get proper client/server breakdown on the flows or the flows are all client/all server only traffic?
We see the breakdowns like this. There are only client / server and both versions of them.
If you select other ntopng interfaces (from the interfaces menu), and look at the charts, can you see a chart where the interface traffic corresponds to the top talker values?
We have only 1 ntopng interface there and when we go to chart. Top talkers and chart data are corresponds each other. But sender receivers are still looks same.
emanuele-f
commented
6 years ago So we changed it to None but we don't really understand the detail of traffic means.
When "Ingress Interface" is selected, ntopng will create as many virtuail interfaces as your NetFlow switch interfaces. This would allow you to see/graph data on a per-switch interface basis. In your case you have too many ports, so you can't enable this.
For example 10.249.0.0/16 Think this is our all branches network and "10.249.1.0/24" one of our branch.
You can actually use -m "10.249.0.0/16,10.249.1.0/24" in ntopng. The rule is that most specific match wins, so in this case host 10.249.1.1 will go into 10.249.1.0/24 while host 10.249.10.23 will go into 10.249.0.0/16. You have to make a compromise between network detail and number of networks.
Is there anything we can do/check about it?
You can check your switch export timeouts1
We have only 1 ntopng interface there and when we go to chart. Top talkers and chart data are corresponds each other. But sender receivers are still looks same.
That was a bug. I've just commited a fix 2e42c0216b15815d7a6ba2484faddcb68c0d61b8 . A new package will be available in one hour. Thank you!
Please also remove the --interface=tcp://10.20.30.201:5556,tcp://10.20.30.201:5557 from config and replace it with these:
--interface="tcp://10.20.30.201:5556"
--interface="tcp://10.20.30.201:5557"If you want to aggregate the two views togeter add another config line with:
--interface="view:tcp://10.20.30.201:5556,tcp://10.20.30.201:5557"Happy new year @emanuele-f ,
We made changes according to your suggestions and they worked really well on interfaces tab but there is some issues on networks chart and top talkers.
You can actually use -m "10.249.0.0/16,10.249.1.0/24" in ntopng. The rule is that most specific match wins, so in this case host 10.249.1.1 will go into 10.249.1.0/24 while host 10.249.10.23 will go into 10.249.0.0/16. You have to make a compromise between network detail and number of networks.
We did it like this. Only first 212 are shown. We have more than this like 500+ Is there any solution for this?
You have too many local networks. Do you really need a per-network view of every single network? If so, please consider running two separate ntopng instances.
You said before, We need to see every single network actually but we couldn't manage to do this or understand can you explain what do you mean with separate instances.
emanuele-f
commented
6 years ago Hi, thank you! Happy new year for you too!
The top talkers are not for the network we looking. It is for interface traffic. Can this be a bug too?
Yes, we currently calculate/show top talkers only on a per-interface basis. With the pro version of ntopng we provide an historical explorer which integrates with mysql/elastic search to provide a more detailed view (e.g. for top talkers). Please check out our demo version for more information.
We have a lot of network branch as you see and we want to set alert threshold for all of them. Is there any way that we can put it more general way instead of doing one by one.
You can set the "Local Networks Common Thresholds" into any of your networks alerts preferences which applies to all your local networks.
We did it like this. Only first 212 are shown. We have more than this like 500+ Is there any solution for this?
Please note that ntopng only shows active networks. If a network does not have traffic for a while it will be hidden. Anyway, the maximum number of active local networks is currently fixed to 255.
You said before, We need to see every single network actually but we couldn't manage to do this or understand can you explain what do you mean with separate instances.
Please note that this will only be effective as long as your two nprobes have separated network traffic, e.g. only first nprobe sees network "10.0.0.0/24" but not the second probe. A drawback is that you will need to open two web pages to get a view of all the traffic.
In order to do this, you will need to create a secondary ntopng systemd service file and a secondary ntopng.conf file. The process may be a little complicate if you are not familiar with systemd/linux. An example with command line options:
ntopng -i "tcp://10.20.30.201:5556" -r 1 -m "your_first_nprobe_local_networks_here" -d "/var/tmp/ntopng1" -w 3000
ntopng -i "tcp://10.20.30.201:5557" -r 2 -m "your_second_nprobe_local_networks_here" -d /var/tmp/ntopng2" -w 3001
In this way you will have two ntopng running instances, one on port 3000 the other on port 3001.
simonemainardi
commented
6 years ago The accuracy of the graph may depend on your Netflow exporter settings. Maybe the exporter is caching flows before exporting them to nprobe, so you get a bunch of flows all at once on ntopng. @simonemainardi what do you think about this?
correct
Hello,
We have a problem with monitoring a network traffic. It is possible that we couldn’t configure properly but maybe you can help.
You can find below the network chart it says 568Mbit traffic at top. Frankly it is bandwidth is 8mbits.
And the picture here is the anlysis of that traffic, at least we assume that. It says 63gb 9gb 3gb etc. But the chart says 500+ Mbit we couldn’t understand the connection between these two pictures. Also we couldn’t get that the senders and recievers have the same traffic. This looks like we did something wrong and couldn’t figure it out. Maybe you can help.
Our main purpose here capture the traffic on certain network and analyze it is traffic and troubleshoot.