RE: [Ntop-dev] Active TCP Sessions bug

Tue, 09 Jul 2002 16:02:34 -0700 

Igor we've been through this on the list.  Use -j | --border-sniffer-mode.

First off, having an unnumbered port only means you MUST use -m, otherwise
all traffic is remote.

The only way to be 100% sure is to try the experiment - running tcpdump on
your network.

Limit it to traffic from, say, a specific host.  On my network that would be

    tcpdump -i eth0 -c 100 -w filename ip and host 192.168.0.xxx

You'll need to run it simultaneously on both the mirrored port and on a host
on the same switch port  (you may have to insert a hub) as the one you pick
that isn't mirrored.  And then compare the two captures...

I'm pretty sure you will find that the MAC addresses have been re-written by
the switch to it's own MAC address.  If the switch doesn't rewrite the
packets, you can run into spanning tree loops.  It might even be in the docs
(or an option) for your switch.

Given that, I'm pretty sure that the code is right.  It may not be optimal -
there are probably things disabled under -j that we could "get back" as we
understand the traffic better, but that will increase the complexity of the
packet handling.  And won't be in 2.1...


-----Burton





-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of Igor Schein
Sent: Tuesday, July 09, 2002 5:59 PM
To: [EMAIL PROTECTED]
Subject: [Ntop-dev] Active TCP Sessions bug


Hi,

I just wanted to inform, that the bug I previously reported about
bogus Active TCP Sessions listings is still there as of 2.0.99 RC3.
Briefly, I am listening to mirrored traffic on ip-less interface and
supplying a local subnet with -m, and I'm seeing that all sessions
supposedly originate from the same IP address.

Have there been any changes between RC3 and current CVS which would
address this issue?  If not, would there be interest in having it
fixed prior to 2.1 release?

Thanks

Igor
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop-dev

_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop-dev

Reply via email to