It's a great tool to dissect your traffic type. You can use it to analyze traffic pattern into your site when you put it outside of your firewall, or you can use it to analyze your user behavior when install on your user segment. It detects host os properly.The report is very detail including active sessions, their latency etc etc.
One of the active sessions:
This test is done on a Dell 750 server with P4 2.8G, 512M RAM and 80G SATA HD.
But when the network is busy, NTOP will eat up memory very fast. For example, it used up about 300M memory when "85.0 MB [324,151 Pkts]" passed it's horizon, about 700M memory after "203.6 MB [691,806 Pkts]" passed. The good news is that memory usage will slow down when reach to some point. And it's around 800M after "504.3 MB [1,624,032 Pkts]", it's now 1.1G after "1.1Â GB [3,821,462 Pkts]".
I checked with www.ntop.org, it says the memory requirement "In general it ranges from a few MB (little LAN) to 100 MB for a WAN." Why on my machine the memory usage kept rising? Something is not right. Probably it's because I am using NST bundled NTOP. Need to find out.
The data files only occupy couple of mega byte.
According to man page, "-x -X ntop creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use." and " -c --sticky-hosts Use this parameter to prevent idle hosts from being purged from memory." In the current conf file, there is no sticky and no -x or -X.
Tried to use both -x 1000000 and -X 1000000 in ntop, will see the result soon.
Post new comment