Hello,
ntop-misc-bounces@listgateway.unipi.it schrieb am 04.12.2018 19:21:14:
> Von: Simone Mainardi <mainardi@ntop.org>
> An: ntop-misc@listgateway.unipi.it
> Datum: 04.12.2018 19:23
> Betreff: Re: [Ntop-misc] Do Trunks multiplicate the seen data
> Gesendet von: ntop-misc-bounces@listgateway.unipi.it
>
> Hi
>
> On 4 Dec 2018, at 05:53, Torsten Becker <TBecker@frankenbach.com> wrote:
>
> Hello to All,
>
> I recently activated ntopng enterprise and nrpobe standard to
> monitor our company network.
>
> Our network consists of some locations comunicating over a MPLS VPN
> network. Ntopng and nprobe are installed on a server in our main
> location. Nprobe receives sflow data from the switches of all
> locations. I configured a ntopng zmq interface and a nprobe instance
> for every location.
> This all seems ok so far.
>
> But now i am unsure if we see multiplicated data from one location.
>
> What do you think is wrong? Note that sFlow performs sampling and
> nProbe does the upscaling using the received samples along with the
> sampling rate. Please, explain.
I think the data shown for the flows are not realistic. A client that
makes RDP does not send about 4 GB within 40 seconds.
And I wonder if the trunks are the problem for the high data.
>
> The switch of this location that is sendind sflow data, is the core
> switch. I have several trunks defined in this switch to connect to
> two xenservers (3x 1gb trunk per server) and several other floor
switches.
> We run two Windows Terminal Servers in a farm as vm's on the
> xenserver-cluster. The user sit on a thinclient or notebook connect
> with 1gb/s at maximum.
>
> Ntopng tells me that we would have this traffic via RDP:
>
> Info RDP TCP client:47510 wts-server:
> 3389 29/11/2018 12:57:46 29/11/2018 12:58:31 3.
> 99 GB 3.83 GB 7.81 GB 1.46 Gbit/s
> Info RDP TCP client:54547 wts-server:
> 3389 29/11/2018 13:14:52 29/11/2018 13:16:51 3.
> 65 GB 3.89 GB 7.53 GB 539.19 Mbit/s
> Info RDP TCP client:54547 wts-server:
> 3389 29/11/2018 13:29:22 29/11/2018 13:31:20 3.
> 51 GB 3.49 GB 7.01 GB 505.81 Mbit/s
> Info RDP TCP client:54547 wts-server:
> 3389 29/11/2018 12:38:09 29/11/2018 12:40:06 3.
> 49 GB 3.43 GB 6.92 GB 503.6 Mbit/s
>
> I think there must be something wrong....
>
> Here ist the config of the switch:
> =====
> Port | Sampling Dropped | Polling
> | Enabled Rate Header Samples | Enabled Interval
> ----- + ------- -------- ------ ---------- + ------- --------
> 1 Yes 256 128 64404 No 0
> 2 Yes 256 128 83008 No 0
> 3 Yes 256 128 0 No 0
> 4 Yes 256 128 0 No 0
> 8 Yes 256 128 148 No 0
> 13 Yes 256 128 0 No 0
> 14 Yes 256 128 0 No 0
> 15 Yes 256 128 0 No 0
> 16 Yes 256 128 2 No 0
> 20 Yes 256 128 133 No 0
> 21 Yes 256 128 0 No 0
> 22 Yes 256 128 0 No 0
> 23 Yes 256 128 0 No 0
> 24 Yes 256 128 0 No 0
> 25 Yes 256 128 0 No 0
> 26 Yes 256 128 0 No 0
> 27 Yes 256 128 0 No 0
> 28 Yes 256 128 0 No 0
> 29 Yes 256 128 0 No 0
> 30 Yes 256 128 0 No 0
> 33 Yes 256 128 0 No 0
> 34 Yes 256 128 21036 No 0
> 35 Yes 256 128 0 No 0
> 36 Yes 256 128 0 No 0
> 39 Yes 256 128 0 No 0
> 41 Yes 256 128 0 No 0
> 43 Yes 256 128 0 No 0
> 44 Yes 256 128 369 No 0
> Trk2 Yes 256 128 2882 No 0
> Trk3 Yes 256 128 4914 No 0
> Trk4 Yes 256 128 41000 No 0
> Trk5 Yes 256 128 977 No 0
> Trk6 Yes 256 128 2810 No 0
> Trk7 Yes 256 128 6173 No 0
> Dyn1 No 0 0 0 No 0
> ====
>
> Here config of nprobe instance:
>
> ====
> -g=/var/run/nprobe-g2.pid
> -i=none
> -n=none
> -3=6342
> --zmq=tcp://10.10.2.203:5552
> --zmq-probe-mode=
> --http-server=
> --dump-stats=/var/log/nprobe/g2-6342_stats.txt
> -T="@NTOPNG@"
> ====
>
> Here config of ntopng:
>
> ====
> -G=/var/run/ntopng.pid
> -i=tcp://*:5556c
> -i=tcp://*:5557c
> -i=tcp://*:5558c
> -i=tcp://*:5551c
> -i=tcp://*:5552c
> -i=tcp://*:5553c
> -i=tcp://*:5554c
> -i=tcp://*:5555c
> -i="view:tcp://*:5551c,tcp://*:5552c,tcp://*:5553c,tcp://*:
> 5554c,tcp://*:5555c,tcp://*:5556c,tcp://*:5557c,tcp://*:5558c"
> -w=3000
> -m="10.10.0.0/22,10.6.0.0/22,10.4.0.0/24,10.1.0.0/24,10.1.1.0/24,10.
> 1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.101.0/24,10.10.100.0/24,10.10.
> 101.0/24,192.168.2.0/24,192.168.0.0/24,192.168.178.0/24"
> -d=/media/ntopng
> --zmq-collector-mode=
> -F="mysql;localhost;ntopng;flows;ntopng;support"
> ====
>
> Best Reggards,
>
> Torsten _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
ntop-misc-bounces@listgateway.unipi.it schrieb am 04.12.2018 19:21:14:
> Von: Simone Mainardi <mainardi@ntop.org>
> An: ntop-misc@listgateway.unipi.it
> Datum: 04.12.2018 19:23
> Betreff: Re: [Ntop-misc] Do Trunks multiplicate the seen data
> Gesendet von: ntop-misc-bounces@listgateway.unipi.it
>
> Hi
>
> On 4 Dec 2018, at 05:53, Torsten Becker <TBecker@frankenbach.com> wrote:
>
> Hello to All,
>
> I recently activated ntopng enterprise and nrpobe standard to
> monitor our company network.
>
> Our network consists of some locations comunicating over a MPLS VPN
> network. Ntopng and nprobe are installed on a server in our main
> location. Nprobe receives sflow data from the switches of all
> locations. I configured a ntopng zmq interface and a nprobe instance
> for every location.
> This all seems ok so far.
>
> But now i am unsure if we see multiplicated data from one location.
>
> What do you think is wrong? Note that sFlow performs sampling and
> nProbe does the upscaling using the received samples along with the
> sampling rate. Please, explain.
I think the data shown for the flows are not realistic. A client that
makes RDP does not send about 4 GB within 40 seconds.
And I wonder if the trunks are the problem for the high data.
>
> The switch of this location that is sendind sflow data, is the core
> switch. I have several trunks defined in this switch to connect to
> two xenservers (3x 1gb trunk per server) and several other floor
switches.
> We run two Windows Terminal Servers in a farm as vm's on the
> xenserver-cluster. The user sit on a thinclient or notebook connect
> with 1gb/s at maximum.
>
> Ntopng tells me that we would have this traffic via RDP:
>
> Info RDP TCP client:47510 wts-server:
> 3389 29/11/2018 12:57:46 29/11/2018 12:58:31 3.
> 99 GB 3.83 GB 7.81 GB 1.46 Gbit/s
> Info RDP TCP client:54547 wts-server:
> 3389 29/11/2018 13:14:52 29/11/2018 13:16:51 3.
> 65 GB 3.89 GB 7.53 GB 539.19 Mbit/s
> Info RDP TCP client:54547 wts-server:
> 3389 29/11/2018 13:29:22 29/11/2018 13:31:20 3.
> 51 GB 3.49 GB 7.01 GB 505.81 Mbit/s
> Info RDP TCP client:54547 wts-server:
> 3389 29/11/2018 12:38:09 29/11/2018 12:40:06 3.
> 49 GB 3.43 GB 6.92 GB 503.6 Mbit/s
>
> I think there must be something wrong....
>
> Here ist the config of the switch:
> =====
> Port | Sampling Dropped | Polling
> | Enabled Rate Header Samples | Enabled Interval
> ----- + ------- -------- ------ ---------- + ------- --------
> 1 Yes 256 128 64404 No 0
> 2 Yes 256 128 83008 No 0
> 3 Yes 256 128 0 No 0
> 4 Yes 256 128 0 No 0
> 8 Yes 256 128 148 No 0
> 13 Yes 256 128 0 No 0
> 14 Yes 256 128 0 No 0
> 15 Yes 256 128 0 No 0
> 16 Yes 256 128 2 No 0
> 20 Yes 256 128 133 No 0
> 21 Yes 256 128 0 No 0
> 22 Yes 256 128 0 No 0
> 23 Yes 256 128 0 No 0
> 24 Yes 256 128 0 No 0
> 25 Yes 256 128 0 No 0
> 26 Yes 256 128 0 No 0
> 27 Yes 256 128 0 No 0
> 28 Yes 256 128 0 No 0
> 29 Yes 256 128 0 No 0
> 30 Yes 256 128 0 No 0
> 33 Yes 256 128 0 No 0
> 34 Yes 256 128 21036 No 0
> 35 Yes 256 128 0 No 0
> 36 Yes 256 128 0 No 0
> 39 Yes 256 128 0 No 0
> 41 Yes 256 128 0 No 0
> 43 Yes 256 128 0 No 0
> 44 Yes 256 128 369 No 0
> Trk2 Yes 256 128 2882 No 0
> Trk3 Yes 256 128 4914 No 0
> Trk4 Yes 256 128 41000 No 0
> Trk5 Yes 256 128 977 No 0
> Trk6 Yes 256 128 2810 No 0
> Trk7 Yes 256 128 6173 No 0
> Dyn1 No 0 0 0 No 0
> ====
>
> Here config of nprobe instance:
>
> ====
> -g=/var/run/nprobe-g2.pid
> -i=none
> -n=none
> -3=6342
> --zmq=tcp://10.10.2.203:5552
> --zmq-probe-mode=
> --http-server=
> --dump-stats=/var/log/nprobe/g2-6342_stats.txt
> -T="@NTOPNG@"
> ====
>
> Here config of ntopng:
>
> ====
> -G=/var/run/ntopng.pid
> -i=tcp://*:5556c
> -i=tcp://*:5557c
> -i=tcp://*:5558c
> -i=tcp://*:5551c
> -i=tcp://*:5552c
> -i=tcp://*:5553c
> -i=tcp://*:5554c
> -i=tcp://*:5555c
> -i="view:tcp://*:5551c,tcp://*:5552c,tcp://*:5553c,tcp://*:
> 5554c,tcp://*:5555c,tcp://*:5556c,tcp://*:5557c,tcp://*:5558c"
> -w=3000
> -m="10.10.0.0/22,10.6.0.0/22,10.4.0.0/24,10.1.0.0/24,10.1.1.0/24,10.
> 1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.101.0/24,10.10.100.0/24,10.10.
> 101.0/24,192.168.2.0/24,192.168.0.0/24,192.168.178.0/24"
> -d=/media/ntopng
> --zmq-collector-mode=
> -F="mysql;localhost;ntopng;flows;ntopng;support"
> ====
>
> Best Reggards,
>
> Torsten _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc