On Thu, Jun 06, 2002 at 08:53:43AM +0200, Luca Deri wrote:
> Igor,
> suppose you capture traffic from interface eth0. Is eth0 configured with
> an IP address that belongs to your network or is it ip-less? If not,
> please add -m "your network address".
I was celebrating too early. When I use -m 172.17.0.0/255.255.0.0, I do see
active sessions, but all of them are reported to originate from the same IP
address on 172.17.0.0/255.255.0.0 subnet ( igor.txc.com below ), even though it's
not the case. It also says that igor.txc.com is multihome, but it's not.
Client Server Data
Sent Data Rcvd Active Since Last Seen Duration Latency
igor.txc.com Multihomed DNS :1581 204.202.130.210:http 1.2
KB 1.6 KB 06/11/02 13:54:53 06/11/02 13:55:01 13 sec 39.2 ms
igor.txc.com Multihomed DNS :1584 204.202.137.145:http 2.1
KB 56.3 KB 06/11/02 13:54:57 06/11/02 13:55:00 9 sec 39.9 ms
igor.txc.com Multihomed DNS :39559 t184-10.btc.txc.com:netbios-ssn
180 0 06/11/02 13:53:12 06/11/02 13:53:21 1:54
igor.txc.com Multihomed DNS :39553 t184-10.btc.txc.com:microsoft-ds
180 0 06/11/02 13:52:52 06/11/02 13:53:01 2:14
ool-xxxxxxxx.dyn.optonline.net:ftp-data igor.txc.com Multihomed DNS :2449 22.4
MB 413.9 KB 06/11/02 13:51:46 06/11/02 13:55:06 3:20
igor.txc.com Multihomed DNS :5909 thebe.rdc.txc.com:37095 149.1
KB 76.9 KB 06/11/02 13:51:46 06/11/02 13:55:05 3:20
main_server.svdc.txc.com:5900 igor.txc.com Multihomed DNS :33274 493.0
KB 49.1 KB 06/11/02 13:52:25 06/11/02 13:54:54 2:41
208.5.237.129:ssh igor.txc.com Multihomed DNS :51386 9.2
KB 1.0 KB 06/11/02 13:51:52 06/11/02 13:55:02 3:14
igor.txc.com Multihomed DNS :1695 fw-int.txc.com:webcache 16.5
KB 59.4 KB 06/11/02 13:54:35 06/11/02 13:54:49 31 sec 0.1 ms
igor.txc.com Multihomed DNS :1699 fw-int.txc.com:webcache 32.3
KB 45.9 KB 06/11/02 13:54:37 06/11/02 13:54:49 29 sec 0.1 ms
igor.txc.com Multihomed DNS :l2tp fw-int.txc.com:webcache 27.5
KB 28.4 KB 06/11/02 13:54:37 06/11/02 13:54:49 29 sec 0.1 ms
igor.txc.com Multihomed DNS :1704 fw-int.txc.com:webcache 17.7
KB 62.7 KB 06/11/02 13:54:38 06/11/02 13:54:49 28 sec 0.1 ms
igor.txc.com Multihomed DNS :1706 fw-int.txc.com:webcache 15.7
KB 27.5 KB 06/11/02 13:54:43 06/11/02 13:54:49 23 sec 0.1 ms
igor.txc.com Multihomed DNS :2498 fw-int.txc.com:webcache
551 232 06/11/02 13:54:58 06/11/02 13:54:59 8 sec
igor.txc.com Multihomed DNS :ssh 192.168.200.68:34467 18.2
KB 2.7 KB 06/11/02 13:51:46 06/11/02 13:55:04 3:20
ool-182d471d.dyn.optonline.net:ssh igor.txc.com Multihomed DNS :51288 16.0
KB 10.1 KB 06/11/02 13:51:47 06/11/02 13:54:58 3:19
I realize it's not one of those clear-cut easy to reproduce and report
bugs. I'll provide any additional information per request. For now,
I'll just remind that in my ntop is listening on an IP-less interface
of a dual-interface Linux machine. My crude possible explanation is
that ntop caches the originator IP address of the very first session
it sees, and then attributes the same IP address to every subsequent
session.
Thanks
Igor
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop-dev
