Yes it is - and if you read the message traffic, you would have seen the same report. But without the info, I would waste a lot of MY time on irrelevant issues.
The key is the traffic mirroring. You need to use a more recent version and use the '--border-sniffer-mode' or '-j' option. This was added post 2.0 release to handle the special case of mirroring traffic on a switch (basically if you turn on mirroring, the traffic is the same at the TCP/IP level, but not at the Ethernet level - so the parameter stops ntop from using the mac addresses). There is also a traffic classification patch in the later releases, but that's for UDP. It won't help TCP. ntop does not do connection tracking like iproute2/netfilter does... It shouldn't be non-ip, but it may not be tagged as the ftp protocol. However, there are also a lot of post-2.0 changes in that area, and let's see what happens when you use the more recent code. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Igor Schein Sent: Friday, February 15, 2002 4:23 PM To: [EMAIL PROTECTED] Subject: Re: [Ntop] a couple of questions On Fri, Feb 15, 2002 at 04:21:24PM -0500, Igor Schein wrote: > Hi, > > I'm using ntop-2.0 stable. It's listening on a firewall machine > with 2 interfaces. First of all, I don't see all the hosts when > I go to Data Rcvd -> All protocols, even though I know they're there, > because when I sort on host column alphabeticaly, it shows me hosts > from a to n, and when I sort in reverse alphabetical, it shows me > hosts from c to z. So there must be a limitation on the number of > lines in the table for the web interface. How can I see all hosts at > once? > > Second question is, when I do an active ftp from inside the firewall > to the outside world, the traffic generated by file tranfers is considered > as non-IP traffic. When I do a passive ftp, everything is accounted > for correctly. Has anyone experienced that? Followup. The reason I was brief above is that I didn't want to give a lot of irrelevant info to scare people away, I thought the problem should be generic enough. I am running ntop-2.0 stable with no patches, which I compiled myself, on a single-CPU Linux machine with kernel 2.4.7, glibc-2.2.4, 32MB of RAM and 2 PCI NIC's, Intel Eepro 100 and 3Com 3c59x. I did default installation and am running ntop with no arguments. The traffic I am monitoring is being mirrored to one of the interfaces through Extreme Network switch from a firewall machine running Astaro Linux. That machine filters all traffic to a gateway Linux box, which is connected by a T1 line to the outside world. So the end result is I'm monitoring both internal and external interfaces of the firewall machine ( I'm not using -M flag ). I don't get any errors. I am hoping the above information is sufficient. Thanks Igor _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop
