Re: [PLUG] ntop cool

On Wed, Apr 1, 2009 at 7:05 PM, jeff <jeffv@op.net> wrote:

Bill East wrote:

> ntop with a dozen Cisco routers exporting flows (to a poor, tired, snatched
> from the dumpster D325 running Slack). It is, at times, an insanely useful
> tool for figuring out which user is sucking up the branch's bandwidth so you
> can throttle them. Their port. Of course.

Ok, now this is SCS (seriously cool stuff) to me.
Just started reading about flows. Any site recommendations? I know
ntop can be set for two different kinds (I can't remember which at the
moment) but do the switches have to output it? Is it exclusive to one
brand, like everything else?

Cisco appears to be the major one doing it, I have not looked into other routers and switches. As I said, it's a simple and useful way to see what's going on. If you have a router that's not stressed at the moment, you just tell it to start exporting flows, including the destination host and the port (one port per router). Add the same information to ntop and it will figure it out. One caveat, for some reason when I was adding routers some would start sending data immediately and some not until I went home for the night after spending an hour trying to figure out what I had done wrong.

It uses RRD graphs for aggregate port bandwidth and does extensive analysis by host and by port. So you can tell it to show you, for example, the host with the highest throughput, then look at that host's peers and what ports are running on them. It took me a while to figure out, because I'm special, but the local functions such as host fingerprinting will not work on the flows.

I still have MRTG querying the routers for utilization and total throughput but ntop gave me the ability to drill down a lot deeper.