Dinamic interface disaggregation and IPs that create more network traffic (4.2.201118 (12249) - Enterprise L Edition

[sercopi135]

Hi,

we have configured the disaggregation, in detail Custom Disagreggation in par. 5.2 (https://www.ntop.org/guides/ntopng/advanced_features/dynamic_interfaces_disaggregation.html) for a customer site, identified with the IP class to which it belongs.

Aspect that we would like to interpret correctly is selecting Top Sender we would have expected the source IPs belonging to the site, and individuate the IP Source that generated the most traffic, instead we find IP classes referring to the Sender, which do not correspond to the IP class of belonging to the site in question.

Best Regards

[simonemainardi]

Please, explain with an example. Also add the configuration used.

[sercopi135]

The example is a site identified by IP Class 192.168.11.0/24 and create thanks to disaggregation. I would like to find the source IPs belonging to the IP Class, and individuate the list of IP Source that generated the most traffic.

From nTop Web GUI if a select the site from Interface Drop Down Menu, than from the Menu on the left I select Interface, then I select the graph icon a new web page appear to me, where I can select the time period I prefer, and then from the drop down list at lower left to the graph, I select Top Sender, in the table below appear to me not only IP Address belong to the IP class 192.168.11.0/24.

We would have expected the source IPs belonging to the IP Class 192.168.11.0/24 that generated the most traffic, instead we find IP classes referring to the Sender, which do not correspond to the class of belonging to the site in question; we are reading the data correctly, do you have any information to give me that can clarify these aspects?

Here there's the configuration files

• nprobe.conf

-i=none -F nindex --collector-port=6363 --zmq=tcp://127.0.0.1:5556 --zmq-probe-mode -n=none -T=@NTOPNG@ -G=/var/run/nprobe.pid

• ntopng.conf

-G=/var/run/ntopng.pid -i=tcp://*:5556c -F nindex -w=3001 -Z=/neteye/ntopng/ntopng -m="contine diverse reti /24" -n=1 -d=/neteye/shared/ntopng/data/ -r=redis.neteyelocal

The machine with the above configuration on board, receives Netflow from the routers present on the network

Best Regards

[simonemainardi]

• Flows have a client and a server
• If you created a disaggregated interface "192.168.11.0/24", it means that either the client, the server, or both, are in 192.168.11.0/24.
• A flow falling into that disaggregated interface can be 1.2.3.4 [client] <->192.168.11.1 [server] for example.
• Hence, 1.2.3.4 or any other IP talking with 192.168.11.0/24 can end up in the top senders of the interface

So the described behavior is normal.

[sercopi135]

So to have the list of source IPs, belonging to a certain IP class, which generate more traffic, there is another method, is it possible to have this data?

[simonemainardi]

This will be possible once per-interface local hosts will be implemented https://github.com/ntop/ntopng/issues/4539

You'll be able to create a disaggregated interface per-class, and then access the top local talkers of that particular interface.

Please, keep an eye on the referenced issue, you will be notified when implemented.