How do I use ntop in a switched network?
A. First off, you need to be or have the support of your network administrator. (Yes, you can do something called “ARP poisoning” to – maybe – get the switch to send you all the traffic, but that’s beyond this FAQ… STFW) Many switches (although not the USD$50 cheap “workgroup” units) have a special port or mode, where by all the traffic for the entire network gets copied out that port, in addition to the normal switch action. When you invoke the monitoring mode (called span, mirror, monitor, analysis, etc.), you are forcing the entire switch bandwidth out one port. This may exceed the bandwidth of the port. 100Mbps+100Mbps >> 100Mbps! Traffic that is being sent to the monitoring port in excess of the capacity of that port is usually dropped. It should NOT slow down the switch on other ports. Some switches have some buffering capability and it *may* be able to keep up with an occasional burst of traffic, as long as the average is below the port capacity and the buffer isn’t exceeded.
