From owner-freebsd-net@FreeBSD.ORG  Sun Jun 18 21:59:06 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 66BBF16A47F
	for <freebsd-net@freebsd.org>; Sun, 18 Jun 2006 21:59:06 +0000 (UTC)
	(envelope-from olsson@puffy.nu)
Received: from mail-srv1.teleservice.net (mail-srv1.teleservice.net
	[85.30.129.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF6D243D49
	for <freebsd-net@freebsd.org>; Sun, 18 Jun 2006 21:59:04 +0000 (GMT)
	(envelope-from olsson@puffy.nu)
Received: from [85.30.133.54] by mail-srv1.sydskane.nu (GMS
	11.01.3365/NU2793.00.3c1025a7) with SMTP id dtaksgaa for
	freebsd-net@freebsd.org; Sun, 18 Jun 2006 23:58:59 +0200
Message-ID: <06f801c69322$5f8969d0$0800a8c0@kaka>
From: "Philip Olsson" <olsson@puffy.nu>
To: "Brian Candler" <B.Candler@pobox.com>,
	"Phil Regnauld" <regnauld@catpipe.net>
References: <4495530f.265f68ff.360d.48fa@mx.gmail.com><20060618142644.81731.qmail@web36304.mail.mud.yahoo.com><20060618180951.GA37133@uk.tiscali.com><20060618182151.GB2627@catpipe.net>
	<20060618205418.GA37548@uk.tiscali.com>
Date: Sun, 18 Jun 2006 23:58:46 +0200
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
Cc: freebsd-net@freebsd.org, Nash Nipples <trashy_bumper@yahoo.com>
Subject: Re: Simple LAN IP accounting
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jun 2006 21:59:06 -0000

> On Sun, Jun 18, 2006 at 08:21:51PM +0200, Phil Regnauld wrote:
>> > very efficient way of doing this analysis. You can turn the sflow data 
>> > into
>> > simple CSV records using 'sflowtool', or ntop has an sflow module.
>>
>> Ntop just seems very unreliable and bloated to me, at least after
>> version 1.  Has it changed ?
>
> I don't know. I looked at it briefly recently, but it didn't do what I
> wanted (which was to be able to export and analyse *all* flows seen). At
> least, there was an "export" function, but it was broken.
>
> If you just want something to visualize your top 20 traffic sources and
> protocols, i.e. keep an eye on your network and notice sudden new large
> sources such as viruses or P2P nodes, it may be useful.
>

Ntop is horribly unstable if you push some traffic. The memory usage 
increases and then later on crashes. It does not matter if you use libpcap 
or netflow. Something in the design seems wrong.
I tested it recently and a year ago, same problem.
The system does not run out of resources.

// Philip