Les,
This report has not been put together yet, no.
It's a little tricky because you have to ignore all the MAC addresses
that belong to interfaces that are routing, since the same IP
addresses will often appear over those MAC addresses quite
legitimately. Fortunately the traffic server maintains a list of
MAC addresses that appear to be acting as routers, and stores them in
the file /usr/local/inmon/server/state/routers.txt. These are the
ones that are ignored when it is constructing the address-mappings
(see addressMap.txt in the same directory). A script could read
these router MAC addresses in and use them as a filter...
To get the raw data feed of which IP addresses are currently
appearing over which MAC addresses you could either:
1. use Server->Forwarding to copy all the sFlow to another UDP port
(e.g. 7343) and then run "sflowtool -l -p 7343", or
2. make a query to the minute-by-minute database in traffic server
If your script can keep up with the raw feed from "sflowtool -l" then
I think that would be ideal, because it will be down to 1-second
time granularity.
If the script cannot keep up then you could adapt a query script like
this one to get the raw data in a manageable format:
http://www.inmon.com/sample_scripts/duplicateIP.pl
For another approach, you could make an analysis of the
addressMap.txt file to throw up a list of possible candidate
duplicate IPs. That should narrow it down a lot. Then you could
filter on those to see if any of them are flipping back and forth.
Sorry there's no shrink-wrapped solution. We should really add this
to the product.
regards,
neil
---- Neil McKee InMon Corp. http://www.inmon.comReceived on Tue Sep 27 12:17:19 2005
This archive was generated by hypermail 2.1.8 : 09/27/05 PDT