ntopng displays more traffic than it actually is.

[Tamahome-M]

Ntopng avg. 5.5 Gbit/s Zabbix MAX 3 Gbit/s (So much traffic really) Why does Ntopng display more? (ntopng Community Edition v.4.0.200518)

[simonemainardi]

Please, report the ntopng configuration used and also nProbe configuration - if ntopng is used in combination with nProbe.

Also post a screenshot of the interface stats page, home tab.

[Tamahome-M]

The configuration is as follows: User traffic is served from 2 nodes of the network (incoming can be on one interface and outgoing on another)

-i enp3s0 -i enp3s0d1 -i view:enp3s0,enp3s0d1 --max-num-flows 9999999 --max-num-hosts 9999999 --disable-autologout --local-networks 85.193.64.0/22,185.100.101.0/24,194.147.48.0/22 -d /var/lib/ntopng -p /var/lib/ntopng/proto.txt --dns-mode 3

[simonemainardi]

Please, remove the view, just leave -i enp3s0 as ntopng interface and report. Also tell how the traffic is fed to either ntopng and zabbix. Are they running on the same machine?

Post also a screenshot of this page for enp3s0:

[Tamahome-M]

Zabbix runs on another machine. Zabbix get traffic info from snmp server. This is also confirmed by meters on network equipment.

I launched as you said, the problem is still observed. The real value of traffic is not more than 2.9Gbit/s

[simonemainardi]

Please, install pfring-dkms, your interface family must become PF_RING. Then report the behavior.

[simonemainardi]

please also report the output of ntopng --version

[Tamahome-M]

ntopng Community Edition v.4.0.200518, from Gentoo Portage

Now I compiled from git to support PF_RING v.4.1.200520 [Community build] Now everything seems to be true, but the drops of 17% (driver: mlx4_en)

[simonemainardi]

@cardigliano I think this is the bug you've solved. It hasn't been picked up by the gentoo folks. What do you think?

[cardigliano]

Yes it's likely the gentoo source does not contain the fix, if compiling from github fixed this I would close the issue.

[simonemainardi]

ok. @Tamahome-M are you able to get in touch with the gentoo package maintainer ad suggest him to update the sources?

[simonemainardi]

please, also report if the drops you are seeing only occur during startup or if they keep growing

[Tamahome-M]

I will report the problem in gentoo. Drops are present, the reasons are not yet understood..

2x Intel(R) Xeon(R) CPU E5-2697A Ethernet controller: Mellanox Technologies MT27520 Family [ConnectX-3 Pro]

The challenge now is to show the management of the company how it works before buying ntopng Enterprise M + PF_RING ZC for intel.

[cardigliano]

@Tamahome-M what is the traffic rate you are able to process? Could you compare it with the performance of pfcount on the same interface? Please note there is no ZC driver for Mellanox atm, the only option you have to accelerate it is to use XDP (https://www.ntop.org/guides/pf_ring/modules/af_xdp.html) however this is experiemental.

[Tamahome-M]

I found out that I have a problem with mirroring traffic, now there really is so much of it.

Two "pfcount" in parallel

# ./pfcount -i enp3s0
Using PF_RING v.7.7.0
# Device RX channels: 16
....
=========================
Absolute Stats: [59'566'926 pkts total][0 pkts dropped][0.0% dropped]
[59'566'926 pkts rcvd][43'088'641'702 bytes rcvd][513'477.88 pkt/sec][2'971.45 Mbit/sec]
=========================
Actual Stats: [507'919 pkts rcvd][1'000.04 ms][507'893.60 pps][2.98 Gbps]
=========================

# ./pfcount -i enp3s0d1
Using PF_RING v.7.7.0
# Device RX channels: 16
....
Absolute Stats: [19'910'528 pkts total][0 pkts dropped][0.0% dropped]
[19'910'528 pkts rcvd][14'685'389'274 bytes rcvd][510'494.99 pkt/sec][3'012.20 Mbit/sec]
=========================
Actual Stats: [509'749 pkts rcvd][1'000.05 ms][509'723.00 pps][2.94 Gbps]
=========================

I will find out where the traffic from the switch was lost. Thank you so much.