![]() ![]() Note that in case of networks with overlapping addresses (e.g. In summary, using observation points it is possible to partition the traffic according to a site, while keeping consistent counters for hosts, ASs, and networks. reported with a ntopng generated alert) up to the traffic origin. When flows are stored on nIndex, they both have the observationPoint Id and the probe IP address that exported it: this enables network analysts to drill down a problem (e.g. For instance if a host from the Rome site is talking to and a host from Berlin is also talking to ntopng will keep in memory a single host entry accounting the total of the traffic. ![]() This choice allows statistics not to be duplicated when hosts from different observationPoints talk together. While flows are kept split, hosts, ASs, networks etc traffic is merged at the interface level regardless of the observation Point Id that has originated it. On the left sidebar Probes menu, it is possible to list all the known observationPoint Ids, set a custom name clicking on the wheel icon, and visualize traffic statistics clicking on the chart icon. ![]() In the top menubar, ntopng lists all the known observationPoint Ids in the dropdown menu: this way a network analyst can select the observationPoint he wants to visualise while hiding flows from a different observation point. When flows are sent by nProbe, they are uniquely marked with the observationPoint Id that is honoured by ntopng during flow collection and reported in the web interface. ![]() In nProbe the observationPoint is set with the -E flag as follows: Depending on the site size, a site can have one or multiple probes. Each nProbe instance can be configured to set a numerical value for the observationPoint Id that uniquely identifies a site. The problem we want to solve is: how-to to cluster flows becoming from the same site regardless of the probe IP that originates them, avoid merging them with those coming from other sites, but still have the ability so see them as a whole at the interface level where flows are collected. In the latest ntopng and nProbe dev versions (soon to become stable), we have implemented the concept of observation point, that in IPFIX is defined as a location in the network where packets can be observed. ntopng allows you to create up to 32 virtual flow collection interfaces that can be used to avoid merging collected flows: unfortunately they are not enough when collecting flows from 100+ routers. Beside the number of flows to be collected, another key point is to be able to visualize the informations in a simple yet effective way. Collecting flows on large networks with hundred of routers can be challenging. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |