Interfaces vs View Interfaces

There are cases when multipe interfaces need to be aggregated together with the aim of performing traffic analyses on the aggregate.

For example, when RSS is used to process packets across multiple queues, a re-aggregation is useful to obtain visibility of the whole traffic and not just a subset of it.

In the following example, a view: interface is created to aggregate packets from two eth1 RSS queues processed using PF_RING Zero Copy.

./ntopng -i zc:eth1@0  -i zc:eth1@1  -i view:zc:eth1@0,zc:eth1@1

If you do not want to list all interfaces you can use the shortcut view:all to tell ntopng to create a view interface from all configured interfaces. The above example will then become:

./ntopng -i zc:eth1@0  -i zc:eth1@1  -i view:all

However, view interfaces come with some visibility limitations if compared to other interfaces. This means they don’t have all traffic data that is normally available for regular interfaces. For example, view interfaces don’t have:

  • MAC addresses and everything related to MAC addresses
  • Packet size distribution (up to 128, up to 256, …)
  • TCP Flags / ARP Distribution

A comprehensive list of all the limitations is at this page.

Using interfaces views also reduces the data available on viewed interfaces. For example, using -i view:zc:eth1@0,zc:eth1@1 will automatically reduce the data kept for zc:eth1@0 and zc:eth1@1, respectively.

Viewed interfaces only have flows. All other network elements are kept for the view interface only. A non-exhaustive list of network elements that are not present on viewed interfaces but are kept on view interface is:

  • Hosts and historical hosts data
  • Autonomous Systems
  • VLANs

The rationale behind this is:

  • Technical, as keeping most of the network elements only in the view greatly reduces the overall memory footprint
  • Practical, to avoid keeping partial data (e.g., the same host can be seen on two interfaces but, since a view is used, only it overall aggregated data is assumed to be relevant).