Re: [Ntop] Replies / Requests Ratio

Fri, 08 May 2020 00:54:08 -0700 

Hi Aaron,
The alerts that you are reporting basically tell you that such hosts receive DNS requests but do not send a reply. In order to troubleshoot possible problems you should augment such information with the knowledge of your network. 


The first question to answer is, are that hosts expected to accept DNS 
requests? If not, are the requests generated from the internet or from 
the LAN? In the first case a firewall to block such DNS requests may be 
a good idea . In the latter case some hosts in the LAN may be 
misconfigured. In case of the pihole hosts, I expect pihole to block 
some DNS requests for advertisement sites so this could be a normal 
behaviour. The following ntopng features may also help you:


https://www.ntop.org/guides/ntopng/advanced_features/live_pcap_download.html

https://www.ntop.org/guides/ntopng/using_with_other_tools/n2disk.html

    https://www.ntop.org/guides/ntopng/historical_flows.html

Regards,
Emanuele

On 5/7/20 5:57 PM, Aaron Scamehorn wrote:

Hello,


I'm trying to understand how/why I am getting the "Replies / Requests 
Ratio" warnings for DNS.



I am suspect of these alerts, and would like to know how/why they are 
being generated.  I am suspect for for the following reasons:  1) If 
it really is as bad as indicated, I should notice problems.  2) the 
"events' occur immediately after I clear the alerts, and tend to 
persist for hours.



In any case, I cleared the alerts last night, and this is what they 
look like:



06/05/2020 22:15:00 	12:31:28 	Warning 	Replies / Requests Ratio 	 
Host edgemax.example.net 
<http://xps-630i.scamlan.net:3000/lua/host_details.lua?ifid=2&host=10.12.17.1@1&page=historical&epoch_begin=1588864588&epoch_end=1588868188> 
has received 54 DNS requests but sent 0 DNS replies [5 Minutes ratio: 
0%] 	



06/05/2020 22:15:00 	12:31:28 	Warning 	Replies / Requests Ratio 	 
Host pihole.example.net 
<http://xps-630i.scamlan.net:3000/lua/host_details.lua?ifid=2&host=10.12.17.3@1&page=historical&epoch_begin=1588864588&epoch_end=1588868188> 
has sent 93 DNS requests but received 3 DNS replies [5 Minutes ratio: 
3.2%] 	
06/05/2020 22:15:00 	12:31:28 	Warning 	Replies / Requests Ratio 	 
Host pihole-2.example.net 
<http://xps-630i.scamlan.net:3000/lua/host_details.lua?ifid=2&host=10.12.17.4@1&page=historical&epoch_begin=1588864588&epoch_end=1588868188> 
has sent 97 DNS requests but received 1 DNS reply [5 Minutes ratio: 1.0%]

        



_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





















					Reply via email to