You probably need to give ntop more information with the -m | --local-subnets option
By default, ntop will use the address and mask of the network interface as it's "locals" and everything else is "remote". Except for one chart (IP Protos | Distribution), ntop pretty much ignores remote<-> remote traffic. With your x.x.x.138/28 address, stuff in the other subnets is being viewed as remote. I don't know whether -m x.x.xx.0/24 will work or if you will have to explicitly give the /25 + /26 + /27 + /28, e.g.: -m x.x.x.0/25,x.x.x.192/26,x.x.x.160/27,x.x.x.144/28 (I *think* that's the right mask set) -----Burton ---------- Original Message ---------------------------------- From: "Earl C. Terwilliger" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Tue, 9 Jul 2002 09:32:43 -0400 >Hello, > >I am having a problem with capturing all IP data on an interface, >running RedHat 7.3 and the current Ntop. > >My IP for example is xxx.xxx.xxx.138 with a subnet mask of >255.255.255.240. When I put the subnet mask as 255.255.255.0 I am able to >capture all traffic (even for IPs not on this network). But I need the >correct subnet mask for routing. So I put the interface in promiscous mode >with : ifconfig eth3 promisc > >Now I am only seeing traffic for IPs within the block masked off. If I use >tcpdump I am able to see all traffic but not with NTOP. > >What am I doing wrong? > >Thanks, >Earl > >_______________________________________________ >Ntop-dev mailing list >[EMAIL PROTECTED] >http://lists.ntop.org/mailman/listinfo/ntop-dev > __________________________________________________ D O T E A S Y - "Join the web hosting revolution!" http://www.doteasy.com _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop-dev
