I've now got NetFlow data being logged in MySQL via nprobe and ntopng. I'm mostly interested in analysing the inbound traffic from the internet to help me find out why we're going over our ISP's download quota. For example, I'd like to find out which device here downloaded the most from the internet yesterday.
I assumed I must use the Historical Data Explorer, but I can't see any way to filter out all the other flows - ie internal and outgoing. I think I need to look at just the flows where the src ip address is not 192.168.x.y and the dst ip address is 192.168.x.y.
I've defined a Traffic Profile called "Incoming only" as "dst net 192.168 and not src net 192.168", but the only place I can see to use this is to click on Interfaces, then select my interface, then click on the funny little symbol that I think is a doctor with a stethoscope, and then on the chart symbol beside the "Incoming only" profile name. (Can I suggest tool tips for all the symbols so one doesn't have to click on them to find out what they are?)
But then what? I'd like to be able to select a data range that covers, say, yesterday from midnight to midnight, and see which address downloaded the most data. I can choose a one day range, but it will end at the current time. And I can't see how to get a list of top downloaders for that whole day. If I hover over the chart, it shows a list which I think is for that minute only. And it lists senders and receivers - how can there be both if my filter only matches external sources and internal destinations?
If I choose a week for the chart length, it still ends at the current time, and I think it still shows the top senders and receivers for one minute periods. I can't tell for sure which day I've chosen because it only displays times, not dates. (Could I suggest that dates are also shown, or at least a clear vertical line for each midnight?)
Am I looking in the wrong place for the data I want? Or do I need to query the MySQL database myself?
Peter Shute
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc
I assumed I must use the Historical Data Explorer, but I can't see any way to filter out all the other flows - ie internal and outgoing. I think I need to look at just the flows where the src ip address is not 192.168.x.y and the dst ip address is 192.168.x.y.
I've defined a Traffic Profile called "Incoming only" as "dst net 192.168 and not src net 192.168", but the only place I can see to use this is to click on Interfaces, then select my interface, then click on the funny little symbol that I think is a doctor with a stethoscope, and then on the chart symbol beside the "Incoming only" profile name. (Can I suggest tool tips for all the symbols so one doesn't have to click on them to find out what they are?)
But then what? I'd like to be able to select a data range that covers, say, yesterday from midnight to midnight, and see which address downloaded the most data. I can choose a one day range, but it will end at the current time. And I can't see how to get a list of top downloaders for that whole day. If I hover over the chart, it shows a list which I think is for that minute only. And it lists senders and receivers - how can there be both if my filter only matches external sources and internal destinations?
If I choose a week for the chart length, it still ends at the current time, and I think it still shows the top senders and receivers for one minute periods. I can't tell for sure which day I've chosen because it only displays times, not dates. (Could I suggest that dates are also shown, or at least a clear vertical line for each midnight?)
Am I looking in the wrong place for the data I want? Or do I need to query the MySQL database myself?
Peter Shute
_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc