Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Misc
Do Trunks multiplicate the seen data
TBecker at frankenbach
Dec 4, 2018, 5:53 AM
Post #1 of 2 (877 views)
Permalink
Hello to All,

I recently activated ntopng enterprise and nrpobe standard to monitor our
company network.

Our network consists of some locations comunicating over a MPLS VPN
network. Ntopng and nprobe are installed on a server in our main location.
Nprobe receives sflow data from the switches of all locations. I
configured a ntopng zmq interface and a nprobe instance for every
location.
This all seems ok so far.

But now i am unsure if we see multiplicated data from one location.
The switch of this location that is sendind sflow data, is the core
switch. I have several trunks defined in this switch to connect to two
xenservers (3x 1gb trunk per server) and several other floor switches.
We run two Windows Terminal Servers in a farm as vm's on the
xenserver-cluster. The user sit on a thinclient or notebook connect with
1gb/s at maximum.

Ntopng tells me that we would have this traffic via RDP:

Info RDP TCP client:47510 wts-server:3389 29/11/2018
12:57:46 29/11/2018 12:58:31 3.99 GB 3.83 GB 7.81 GB 1.46
Gbit/s
Info RDP TCP client:54547 wts-server:3389 29/11/2018
13:14:52 29/11/2018 13:16:51 3.65 GB 3.89 GB 7.53 GB 539.19
Mbit/s
Info RDP TCP client:54547 wts-server:3389 29/11/2018
13:29:22 29/11/2018 13:31:20 3.51 GB 3.49 GB 7.01 GB 505.81
Mbit/s
Info RDP TCP client:54547 wts-server:3389 29/11/2018
12:38:09 29/11/2018 12:40:06 3.49 GB 3.43 GB 6.92 GB 503.6
Mbit/s

I think there must be something wrong....

Here ist the config of the switch:
=====
Port | Sampling Dropped | Polling
| Enabled Rate Header Samples | Enabled Interval
----- + ------- -------- ------ ---------- + ------- --------
1 Yes 256 128 64404 No 0
2 Yes 256 128 83008 No 0
3 Yes 256 128 0 No 0
4 Yes 256 128 0 No 0
8 Yes 256 128 148 No 0
13 Yes 256 128 0 No 0
14 Yes 256 128 0 No 0
15 Yes 256 128 0 No 0
16 Yes 256 128 2 No 0
20 Yes 256 128 133 No 0
21 Yes 256 128 0 No 0
22 Yes 256 128 0 No 0
23 Yes 256 128 0 No 0
24 Yes 256 128 0 No 0
25 Yes 256 128 0 No 0
26 Yes 256 128 0 No 0
27 Yes 256 128 0 No 0
28 Yes 256 128 0 No 0
29 Yes 256 128 0 No 0
30 Yes 256 128 0 No 0
33 Yes 256 128 0 No 0
34 Yes 256 128 21036 No 0
35 Yes 256 128 0 No 0
36 Yes 256 128 0 No 0
39 Yes 256 128 0 No 0
41 Yes 256 128 0 No 0
43 Yes 256 128 0 No 0
44 Yes 256 128 369 No 0
Trk2 Yes 256 128 2882 No 0
Trk3 Yes 256 128 4914 No 0
Trk4 Yes 256 128 41000 No 0
Trk5 Yes 256 128 977 No 0
Trk6 Yes 256 128 2810 No 0
Trk7 Yes 256 128 6173 No 0
Dyn1 No 0 0 0 No 0
====

Here config of nprobe instance:

====
-g=/var/run/nprobe-g2.pid
-i=none
-n=none
-3=6342
--zmq=tcp://10.10.2.203:5552
--zmq-probe-mode=
--http-server=
--dump-stats=/var/log/nprobe/g2-6342_stats.txt
-T="@NTOPNG@"
====

Here config of ntopng:

====
-G=/var/run/ntopng.pid
-i=tcp://*:5556c
-i=tcp://*:5557c
-i=tcp://*:5558c
-i=tcp://*:5551c
-i=tcp://*:5552c
-i=tcp://*:5553c
-i=tcp://*:5554c
-i=tcp://*:5555c
-i="view:tcp://*:5551c,tcp://*:5552c,tcp://*:5553c,tcp://*:5554c,tcp://*:5555c,tcp://*:5556c,tcp://*:5557c,tcp://*:5558c"
-w=3000
-m="10.10.0.0/22,10.6.0.0/22,10.4.0.0/24,10.1.0.0/24,10.1.1.0/24,10.1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.101.0/24,10.10.100.0/24,10.10.101.0/24,192.168.2.0/24,192.168.0.0/24,192.168.178.0/24"
-d=/media/ntopng
--zmq-collector-mode=
-F="mysql;localhost;ntopng;flows;ntopng;support"
====

Best Reggards,

Torsten
Re: Do Trunks multiplicate the seen data [ In reply to ]
mainardi at ntop
Dec 4, 2018, 10:21 AM
Post #2 of 2 (877 views)
Permalink
Hi

> On 4 Dec 2018, at 05:53, Torsten Becker <TBecker@frankenbach.com> wrote:
>
> Hello to All,
>
> I recently activated ntopng enterprise and nrpobe standard to monitor our company network.
>
> Our network consists of some locations comunicating over a MPLS VPN network. Ntopng and nprobe are installed on a server in our main location. Nprobe receives sflow data from the switches of all locations. I configured a ntopng zmq interface and a nprobe instance for every location.
> This all seems ok so far.
>
> But now i am unsure if we see multiplicated data from one location.

What do you think is wrong? Note that sFlow performs sampling and nProbe does the upscaling using the received samples along with the sampling rate. Please, explain.

> The switch of this location that is sendind sflow data, is the core switch. I have several trunks defined in this switch to connect to two xenservers (3x 1gb trunk per server) and several other floor switches.
> We run two Windows Terminal Servers in a farm as vm's on the xenserver-cluster. The user sit on a thinclient or notebook connect with 1gb/s at maximum.
>
> Ntopng tells me that we would have this traffic via RDP:
>
> Info RDP TCP client:47510 wts-server:3389 29/11/2018 12:57:46 29/11/2018 12:58:31 3.99 GB 3.83 GB 7.81 GB 1.46 Gbit/s
> Info RDP TCP client:54547 wts-server:3389 29/11/2018 13:14:52 29/11/2018 13:16:51 3.65 GB 3.89 GB 7.53 GB 539.19 Mbit/s
> Info RDP TCP client:54547 wts-server:3389 29/11/2018 13:29:22 29/11/2018 13:31:20 3.51 GB 3.49 GB 7.01 GB 505.81 Mbit/s
> Info RDP TCP client:54547 wts-server:3389 29/11/2018 12:38:09 29/11/2018 12:40:06 3.49 GB 3.43 GB 6.92 GB 503.6 Mbit/s
>
> I think there must be something wrong....
>
> Here ist the config of the switch:
> =====
> Port | Sampling Dropped | Polling
> | Enabled Rate Header Samples | Enabled Interval
> ----- + ------- -------- ------ ---------- + ------- --------
> 1 Yes 256 128 64404 No 0
> 2 Yes 256 128 83008 No 0
> 3 Yes 256 128 0 No 0
> 4 Yes 256 128 0 No 0
> 8 Yes 256 128 148 No 0
> 13 Yes 256 128 0 No 0
> 14 Yes 256 128 0 No 0
> 15 Yes 256 128 0 No 0
> 16 Yes 256 128 2 No 0
> 20 Yes 256 128 133 No 0
> 21 Yes 256 128 0 No 0
> 22 Yes 256 128 0 No 0
> 23 Yes 256 128 0 No 0
> 24 Yes 256 128 0 No 0
> 25 Yes 256 128 0 No 0
> 26 Yes 256 128 0 No 0
> 27 Yes 256 128 0 No 0
> 28 Yes 256 128 0 No 0
> 29 Yes 256 128 0 No 0
> 30 Yes 256 128 0 No 0
> 33 Yes 256 128 0 No 0
> 34 Yes 256 128 21036 No 0
> 35 Yes 256 128 0 No 0
> 36 Yes 256 128 0 No 0
> 39 Yes 256 128 0 No 0
> 41 Yes 256 128 0 No 0
> 43 Yes 256 128 0 No 0
> 44 Yes 256 128 369 No 0
> Trk2 Yes 256 128 2882 No 0
> Trk3 Yes 256 128 4914 No 0
> Trk4 Yes 256 128 41000 No 0
> Trk5 Yes 256 128 977 No 0
> Trk6 Yes 256 128 2810 No 0
> Trk7 Yes 256 128 6173 No 0
> Dyn1 No 0 0 0 No 0
> ====
>
> Here config of nprobe instance:
>
> ====
> -g=/var/run/nprobe-g2.pid
> -i=none
> -n=none
> -3=6342
> --zmq=tcp://10.10.2.203:5552
> --zmq-probe-mode=
> --http-server=
> --dump-stats=/var/log/nprobe/g2-6342_stats.txt
> -T="@NTOPNG@"
> ====
>
> Here config of ntopng:
>
> ====
> -G=/var/run/ntopng.pid
> -i=tcp://*:5556c
> -i=tcp://*:5557c
> -i=tcp://*:5558c
> -i=tcp://*:5551c
> -i=tcp://*:5552c
> -i=tcp://*:5553c
> -i=tcp://*:5554c
> -i=tcp://*:5555c
> -i="view:tcp://*:5551c,tcp://*:5552c,tcp://*:5553c,tcp://*:5554c,tcp://*:5555c,tcp://*:5556c,tcp://*:5557c,tcp://*:5558c"
> -w=3000
> -m="10.10.0.0/22,10.6.0.0/22,10.4.0.0/24,10.1.0.0/24,10.1.1.0/24,10.1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.101.0/24,10.10.100.0/24,10.10.101.0/24,192.168.2.0/24,192.168.0.0/24,192.168.178.0/24"
> -d=/media/ntopng
> --zmq-collector-mode=
> -F="mysql;localhost;ntopng;flows;ntopng;support"
> ====
>
> Best Reggards,
>
> Torsten _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal