Mike, this is a problem that was mentioned here earlier by several of us. An IP address that resolves to the corresponding FQDN on the machine running IM Remote does not always resolve successfully in IM Flows.
I see that quite often. I haven't been keeping careful records of addresses that don't resolve in IM Flows, but I have noticed the same ones cropping up multiple times. I've double-checked the PTR records for those IP addresses and they are correct, and reverse lookups using nslookup and dig always succeed. -- Chip Old (Francis E. Old) <[EMAIL PROTECTED]> Administrator, Network Operations Baltimore County Public Library 320 York Road Towson, MD 21204-5179 US 410-887-6180 office 410-236-8582 mobile 410-887-2091 fax ________________________________ From: Mike Lieberman <[EMAIL PROTECTED]> Reply-To: InterMapper Discussion <[email protected]> Date: Fri, 19 Sep 2008 13:36:39 -0400 To: InterMapper Discussion <[email protected]> Subject: RE: Spam:*******, RE: [IM-Talk] Net Flows Question That's nice BUT even then the PTR should resolve to the A name. So why didn't it? If you want the actual names to run a DNS lookup or DIG on I will provide it off line. -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Janice Losgar Sent: Friday, September 19, 2008 11:29 AM To: 'InterMapper Discussion' Subject: Spam:*******, RE: [IM-Talk] Net Flows Question Mike, IM Flows uses a DNS PTR query to identify the name for a given IP address. The NetFlow information exported by the router contains the source and destination IP addresses; it does not contain any information from the payload of the TCP packet itself. If you have a web server that serves multiple virtual hosts, e.g. one for a restaurant and one for a local newspaper, you will not be able to identify whether a flow went specifically to one web site or the other. All you can tell is that certain computers talked to a server on port 80. -- Janice -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Lieberman Sent: Friday, September 19, 2008 1:15 PM To: 'InterMapper Discussion' Subject: Spam:*******, RE: [IM-Talk] Net Flows Question Janice, Here the scenario: Network Admin opens his Browser and types: http://name.doman.net/file.zip He downloads the file. He is running IM-R and opens the Flows Window Under the Sessions Tab he sees his http session but ...the server is listed by IP address. The "name.domain.net" is a cname and the Webserver is doing http 1.1 host header lookup Why can't Flows report the name? Mike Lieberman Net Wright LLC -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Janice Losgar Sent: Friday, September 19, 2008 11:00 AM To: 'InterMapper Discussion' Subject: Spam:*******, RE: [IM-Talk] Net Flows Question Mike, Are you looking in the Flows window and seeing IP addresses that are not resolved? It's the client OS that does the resolving, not the server. Is the address resolvable from the client where you are viewing the Flows window? Regards, Janice Losgar Dartware, LLC -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Lieberman Sent: Friday, September 19, 2008 12:40 PM To: 'InterMapper Discussion' Subject: Spam:*******, [IM-Talk] Net Flows Question I am looking at the session log and note that when the remote server is was called by a CNAME that the name is not displayed, rather the IP address is listed. Since the CNAME was properly resolvable via public DNS why doesn't it display? ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED] ____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED]
