Mailing List Archive

Combining subnet statistics
We have several subnets in each of our branch offices that can use our WAN. I have listed each of these in ntopng.conf:
--local-networks= "192.168.0.0/23,192.168.2.0/24,192.168.3.0/24,192.168.6.0/24,192.168.7.0/24,192.168.30.0/24,192.168.60.0/24,192.168.32.0/24,192.168.62.0/24,192.168.33.0/24,192.168.3.0/24,192.168.37.0/24,192.168.67.0/24"

I can view charts for each subnet individually, but I would like to see the total for each branch office. E.g 192.168.2.0/24 + 192.168.32.0/24 + 192.168.62.0/24.

Is there a way to do this? Because of the subnet ranges they've used (last digit of second last number indicates branch office), I can't just define a subnet range to cover them.

Peter Shute
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
Re: Combining subnet statistics [ In reply to ]
Yes, you can do that.

You should create an host pool for any branch you are interested monitoring. An host pool can be defined as a set of subnets so this will do the trick. Once you've created the pools, visit the ntopng preferences and enable the timeseries creation for them.

Simone

> On 12 Feb 2018, at 00:08, Peter Shute <pshute@nuw.org.au> wrote:
>
> We have several subnets in each of our branch offices that can use our WAN. I have listed each of these in ntopng.conf:
> --local-networks= "192.168.0.0/23,192.168.2.0/24,192.168.3.0/24,192.168.6.0/24,192.168.7.0/24,192.168.30.0/24,192.168.60.0/24,192.168.32.0/24,192.168.62.0/24,192.168.33.0/24,192.168.3.0/24,192.168.37.0/24,192.168.67.0/24"
>
> I can view charts for each subnet individually, but I would like to see the total for each branch office. E.g 192.168.2.0/24 + 192.168.32.0/24 + 192.168.62.0/24.
>
> Is there a way to do this? Because of the subnet ranges they've used (last digit of second last number indicates branch office), I can't just define a subnet range to cover them.
>
> Peter Shute
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
Re: Combining subnet statistics [ In reply to ]
Thanks for that. I've also discovered I can separate out the netflow data coming from each office's router using dynamic network interfaces. I followed the instructions provided at https://github.com/ntop/ntopng/issues/1444 to enable Probe IP disaggregation criterion, and to add %EXPORTER_IPV4_ADDRESS to the template. I assume this does the same thing as host pooling, assuming one wants to pool every subnet on each router? I have this running now, so I can't try creating host pools unless I undo those changes.

One thing I've noticed with dynamic interfaces is that if I select one, then click on the chart icon, the traffic peaks seem way too high. Eg 85Mbps when we only have a 14Mbps link. If I click on Hosts/Networks, and select one of the local subnets, it seems ok. Is there something wrong with that combined chart?

Is it possible to name the dynamic network interfaces so I don't have to keep a list of all the routers' ip addresses?

> -----Original Message-----
> From: ntop-bounces@listgateway.unipi.it [mailto:ntop-
> bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
> Sent: Tuesday, 13 February 2018 1:29 AM
> To: ntop@unipi.it
> Subject: Re: [Ntop] Combining subnet statistics
>
> Yes, you can do that.
>
> You should create an host pool for any branch you are interested monitoring.
> An host pool can be defined as a set of subnets so this will do the trick. Once
> you've created the pools, visit the ntopng preferences and enable the
> timeseries creation for them.
>
> Simone
>
> > On 12 Feb 2018, at 00:08, Peter Shute <pshute@nuw.org.au> wrote:
> >
> > We have several subnets in each of our branch offices that can use our
> WAN. I have listed each of these in ntopng.conf:
> > --local-networks=
> "192.168.0.0/23,192.168.2.0/24,192.168.3.0/24,192.168.6.0/24,192.168.7.0/24,
> 192.168.30.0/24,192.168.60.0/24,192.168.32.0/24,192.168.62.0/24,192.168.33.
> 0/24,192.168.3.0/24,192.168.37.0/24,192.168.67.0/24"
> >
> > I can view charts for each subnet individually, but I would like to see the
> total for each branch office. E.g 192.168.2.0/24 + 192.168.32.0/24 +
> 192.168.62.0/24.
> >
> > Is there a way to do this? Because of the subnet ranges they've used (last
> digit of second last number indicates branch office), I can't just define a
> subnet range to cover them.
> >
> > Peter Shute
> > _______________________________________________
> > Ntop mailing list
> > Ntop@listgateway.unipi.it
> > http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
Re: Combining subnet statistics [ In reply to ]
I have discovered how to name the dynamic inferfaces (select one, then click on the settings icon). Just need to work out why the main chart looks too high.

If I look at the main chart for an interface, the 1 hour chart shows a much higher maximum than the 3 hour chart, although both are too high. What's going on there?

> -----Original Message-----
> From: ntop-bounces@listgateway.unipi.it [mailto:ntop-
> bounces@listgateway.unipi.it] On Behalf Of Peter Shute
> Sent: Tuesday, 13 February 2018 8:07 AM
> To: ntop@unipi.it
> Subject: Re: [Ntop] Combining subnet statistics
>
> Thanks for that. I've also discovered I can separate out the netflow data
> coming from each office's router using dynamic network interfaces. I
> followed the instructions provided at
> https://github.com/ntop/ntopng/issues/1444 to enable Probe IP
> disaggregation criterion, and to add %EXPORTER_IPV4_ADDRESS to the
> template. I assume this does the same thing as host pooling, assuming one
> wants to pool every subnet on each router? I have this running now, so I
> can't try creating host pools unless I undo those changes.
>
> One thing I've noticed with dynamic interfaces is that if I select one, then click
> on the chart icon, the traffic peaks seem way too high. Eg 85Mbps when we
> only have a 14Mbps link. If I click on Hosts/Networks, and select one of the
> local subnets, it seems ok. Is there something wrong with that combined
> chart?
>
> Is it possible to name the dynamic network interfaces so I don't have to keep
> a list of all the routers' ip addresses?
>
> > -----Original Message-----
> > From: ntop-bounces@listgateway.unipi.it [mailto:ntop-
> > bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
> > Sent: Tuesday, 13 February 2018 1:29 AM
> > To: ntop@unipi.it
> > Subject: Re: [Ntop] Combining subnet statistics
> >
> > Yes, you can do that.
> >
> > You should create an host pool for any branch you are interested
> monitoring.
> > An host pool can be defined as a set of subnets so this will do the trick.
> Once
> > you've created the pools, visit the ntopng preferences and enable the
> > timeseries creation for them.
> >
> > Simone
> >
> > > On 12 Feb 2018, at 00:08, Peter Shute <pshute@nuw.org.au> wrote:
> > >
> > > We have several subnets in each of our branch offices that can use our
> > WAN. I have listed each of these in ntopng.conf:
> > > --local-networks=
> >
> "192.168.0.0/23,192.168.2.0/24,192.168.3.0/24,192.168.6.0/24,192.168.7.0/24,
> >
> 192.168.30.0/24,192.168.60.0/24,192.168.32.0/24,192.168.62.0/24,192.168.33.
> > 0/24,192.168.3.0/24,192.168.37.0/24,192.168.67.0/24"
> > >
> > > I can view charts for each subnet individually, but I would like to see the
> > total for each branch office. E.g 192.168.2.0/24 + 192.168.32.0/24 +
> > 192.168.62.0/24.
> > >
> > > Is there a way to do this? Because of the subnet ranges they've used (last
> > digit of second last number indicates branch office), I can't just define a
> > subnet range to cover them.
> > >
> > > Peter Shute
> > > _______________________________________________
> > > Ntop mailing list
> > > Ntop@listgateway.unipi.it
> > > http://listgateway.unipi.it/mailman/listinfo/ntop
> >
> > _______________________________________________
> > Ntop mailing list
> > Ntop@listgateway.unipi.it
> > http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
Re: Combining subnet statistics [ In reply to ]
Peter,

> On 12 Feb 2018, at 22:06, Peter Shute <pshute@nuw.org.au> wrote:
>
> Thanks for that. I've also discovered I can separate out the netflow data coming from each office's router using dynamic network interfaces. I followed the instructions provided at https://github.com/ntop/ntopng/issues/1444 to enable Probe IP disaggregation criterion, and to add %EXPORTER_IPV4_ADDRESS to the template. I assume this does the same thing as host pooling, assuming one wants to pool every subnet on each router?

Correct

> I have this running now, so I can't try creating host pools unless I undo those changes.
>
> One thing I've noticed with dynamic interfaces is that if I select one, then click on the chart icon, the traffic peaks seem way too high. Eg 85Mbps when we only have a 14Mbps link.

Peaks you are seeing are very likely due to the quantized nature of flows. Your netflow exporters do periodic exports of active flows -- say every 2 minutes -- so the ntopng/nProbe pair is not able to know what happened during the 2 minutes, it just receives the exported flow at the end of the period. This translates into a potentially high volume of traffic in a very short period that determines the peak. However, total values over time must be consistent.


> If I click on Hosts/Networks, and select one of the local subnets, it seems ok. Is there something wrong with that combined chart?

Interfaces charts are populated with a data point every second. Hosts/networks every 5 minutes and thus peaks get smoothed because total data is averaged over a much wider time range.

>
> Is it possible to name the dynamic network interfaces so I don't have to keep a list of all the routers' ip addresses?

Yes, rename it as if it was a normal interface.

Simone

>
>> -----Original Message-----
>> From: ntop-bounces@listgateway.unipi.it [mailto:ntop-
>> bounces@listgateway.unipi.it] On Behalf Of Simone Mainardi
>> Sent: Tuesday, 13 February 2018 1:29 AM
>> To: ntop@unipi.it
>> Subject: Re: [Ntop] Combining subnet statistics
>>
>> Yes, you can do that.
>>
>> You should create an host pool for any branch you are interested monitoring.
>> An host pool can be defined as a set of subnets so this will do the trick. Once
>> you've created the pools, visit the ntopng preferences and enable the
>> timeseries creation for them.
>>
>> Simone
>>
>>> On 12 Feb 2018, at 00:08, Peter Shute <pshute@nuw.org.au> wrote:
>>>
>>> We have several subnets in each of our branch offices that can use our
>> WAN. I have listed each of these in ntopng.conf:
>>> --local-networks=
>> "192.168.0.0/23,192.168.2.0/24,192.168.3.0/24,192.168.6.0/24,192.168.7.0/24,
>> 192.168.30.0/24,192.168.60.0/24,192.168.32.0/24,192.168.62.0/24,192.168.33.
>> 0/24,192.168.3.0/24,192.168.37.0/24,192.168.67.0/24"
>>>
>>> I can view charts for each subnet individually, but I would like to see the
>> total for each branch office. E.g 192.168.2.0/24 + 192.168.32.0/24 +
>> 192.168.62.0/24.
>>>
>>> Is there a way to do this? Because of the subnet ranges they've used (last
>> digit of second last number indicates branch office), I can't just define a
>> subnet range to cover them.
>>>
>>> Peter Shute
>>> _______________________________________________
>>> Ntop mailing list
>>> Ntop@listgateway.unipi.it
>>> http://listgateway.unipi.it/mailman/listinfo/ntop
>>
>> _______________________________________________
>> Ntop mailing list
>> Ntop@listgateway.unipi.it
>> http://listgateway.unipi.it/mailman/listinfo/ntop
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
Re: Combining subnet statistics [ In reply to ]
Simone Mainardi wrote:

> > I have this running now, so I can't try creating host pools unless I undo
> those changes.
> >
> > One thing I've noticed with dynamic interfaces is that if I select one, then
> click on the chart icon, the traffic peaks seem way too high. Eg 85Mbps when
> we only have a 14Mbps link.
>
> Peaks you are seeing are very likely due to the quantized nature of flows.
> Your netflow exporters do periodic exports of active flows -- say every 2
> minutes -- so the ntopng/nProbe pair is not able to know what happened
> during the 2 minutes, it just receives the exported flow at the end of the
> period. This translates into a potentially high volume of traffic in a very short
> period that determines the peak. However, total values over time must be
> consistent.

That makes sense. I wonder if it would be helpful to add a note about that on the charts so that people understand their limitations.

Does this mean I can still use those charts to look for periods of high usage, but should take the vertical scale with a grain of salt?

Peter Shute
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
Re: Combining subnet statistics [ In reply to ]
Peter,

> On 13 Feb 2018, at 22:49, Peter Shute <pshute@nuw.org.au> wrote:
>
> Simone Mainardi wrote:
>
>>> I have this running now, so I can't try creating host pools unless I undo
>> those changes.
>>>
>>> One thing I've noticed with dynamic interfaces is that if I select one, then
>> click on the chart icon, the traffic peaks seem way too high. Eg 85Mbps when
>> we only have a 14Mbps link.
>>
>> Peaks you are seeing are very likely due to the quantized nature of flows.
>> Your netflow exporters do periodic exports of active flows -- say every 2
>> minutes -- so the ntopng/nProbe pair is not able to know what happened
>> during the 2 minutes, it just receives the exported flow at the end of the
>> period. This translates into a potentially high volume of traffic in a very short
>> period that determines the peak. However, total values over time must be
>> consistent.
>
> That makes sense. I wonder if it would be helpful to add a note about that on the charts so that people understand their limitations.

Correct, we will add it.

>
> Does this mean I can still use those charts to look for periods of high usage, but should take the vertical scale with a grain of salt?

Correct. The interface chart with 1-second data points -- say the latest 10 minutes -- should be taken with a grain of salt on configurations that involve flows collection.
Selecting wider time ranges will automatically average out short peaks and will provide you more accurate information.

>
> Peter Shute
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop