Ntopng: Host XXX.XXX.XXX.XXX is a flooder [NNN new flows in the last 3 sec]



  • My ntopng shows that one of my computers in the LAN is a flooder. It says

    Host XXX.XXX.XXX.XXX is a flooder [NNN new flows in the last 3 sec]
    

    The number of new flows can be thousands and tens of thousands.

    Is it possible to list these flows? The "flows" section of host page does not show these apparently since it contains no more than hundreds of lines.

    Either data is lost, or grouped somehow.

    How to know that?



  • Hi,

    I have the same problem, it's from my wan conecction. If you find something please tell me.

    Thanks




  • The flood threshold levels are set way too low default. You can edit in the ntopng gui but it doesn't have any effect and reverted back to the default value. Cant even disable the alert logs. This part is a bit buggy for now, so probably the best idea disable the alert logging. It can literally flooding the pfsense syslog too. Check out my topic for a workaround.

    https://forum.pfsense.org/index.php?topic=89911.0



  • Thank you!



  • My main PC has a lot of flood alerts being generated on ntop too. I'm not that worried about it.



  • @vadonka:

    The flood threshold levels are set way too low default. You can edit in the ntopng gui but it doesn't have any effect and reverted back to the default value. Cant even disable the alert logs. This part is a bit buggy for now, so probably the best idea disable the alert logging. It can literally flooding the pfsense syslog too. Check out my topic for a workaround.

    https://forum.pfsense.org/index.php?topic=89911.0

    What would you recommend setting the alert level to ? default is 25 ? It looks like in the settings now you can change this


  • Banned

    I would recommend to tick the fine checkbox in the GUI to disable the alerts altogether. ;)



  • ok dumb question but why ? I am assuming because the tool is more geared for the user to see where the traffic is flowing from and no reason to be flooded with the alerts ?


  • Banned

    Well, because it produces insane noise… I find the information worthless. YMMV. :P


Log in to reply