![]() ![]() Given that my replies vs requests ratio is stillĬonfigured at 50%, this means that, at every 5 minute Still in alert, at the original Date/Time of 07:25:01, I don't see any dropped packets on the NIC either:Īs of right now, 2 of the hosts we are discussing are Thank you again for the detailed responses.įrom the interfaces page, I see these stats: On 5/11/20 9:29 PM, Aaron Scamehorn wrote: Right at the 10 minute mark, I got alerts. I tried 2 different 30 minute PCAP files. Host pihole has sent 211 DNS requests but received 7 DNS Incidentally, I do also see alerts w/ non-zero replies I do see unidirectional flows in flows_a for DNS. On 5/12/20 5:13 PM, Aaron Scamehorn wrote: On 5/13/20 3:06 PM, Emanuele Faranda wrote: VLAN tag in ntopng you can use the -ignore-vlans flag in So ntopng splits the DNSįlows in two monodirectional flows. Problem is that the DNS requests have no VLAN tag whereas theĭNS replies have the VLAN tag 1. Writing to you here to continue the public discussion. In one 5 minute window, and the responses are on the next 5 Having rather, these are all of the 5 minute duration.Ĭould this be a boundary issue? Could client send the requests These do not have the prolonged duration that the DNS alerts were I am now getting Replies / Requests Ratio alerts for So, the switch that the pi-holes is adding vlan tags?Īnyway, I ran the 30 minute pcap file with the -ignore-vlanĬonfig, and agree that does resolve the issue with the pcap file.Īdding that config to the "prod" ntopng apparently introduces new Pi-hole hosts have vlan tags whereas other hosts have no vlan Looking at the pcaps now, I do see that traffic from the 2 I do recall seeing vlan tags on some but not all of On 5/13/20 4:55 PM, Aaron Scamehorn wrote: The HTTP traffic so that we can inspect it. ![]() There is such a problem please provide a PCAP file privately with Improve the requests vs reply ratio also in case of HTTP so IĮxpect less alerts to be generated than before.Īnyway, please monitor the situation and if you still think that ignore-vlan option, as adding such option should actually The alerts on HTTP traffic should not be linked to the On Fri, at 4:26 AM Emanuele Faranda > wrote: The duration is usually 10 minutes or less. "msg": "Host edgemax has received 78 HTTP requests but sent 34 "msg": "Host edgemax has received 100 HTTP requests but sent 34 "msg": "Host edgemax has received 118 HTTP requests but sent 51 "msg": "Host edgemax has received 117 HTTP requests but sent 51 Theīehavior has definitely changed, however, I continue to get Replies / It's been about 9 days since adding the ignore_vlan option. On 5/22/20 7:11 AM, Aaron Scamehorn wrote: A new package will be available in one hour. Ntopng did not account the ethernet frame padding which resulted in theĪCK packets to be parsed as HTTP replies, so the actual HTTP reply in ![]()
0 Comments
Leave a Reply. |