TCP sessions is just one of the items disabled by -j... or by the classification of
traffic as "remote" unless it's specified as pseudoLocal by -m (ntop doesn't track
remote sessions)
Unumbered means not having an assigned ip address. Yes...
As to the tcpdump monitoring, I mean a host that is on another port on the same switch.
Let me try some ASCII art:
+------+
|Switch|
+------+
| |
(host | mirrored port
A) |
(ntop
host)
What you're trying to see is the traffic from host A to "anywhere" else.
What you do is put a hub in the path between A and the switch and setup a machine to
run tcpdump on. Then you run tcpdump on both that host, call it "M" and the ntop
host, recording a few 100 packets while A talks to somebody else.
+------+
|Switch|
+------+
| |
(host--+HUB+ |
M) | |
(host | mirrored port
A) |
(ntop
host)
What you'll record is the same traffic, as seen by "A" and by ntop.
When you match them up at the tcp/ip level (and, sorry, this has to be done by that
famous Spanish network admin - Manuel Labor) you should be able to see what the MAC
addresses are in the matching packets.
-----Burton
---------- Original Message ----------------------------------
From: Igor Schein <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date: Tue, 9 Jul 2002 19:35:50 -0400
>On Tue, Jul 09, 2002 at 06:31:46PM -0500, Burton M. Strauss III wrote:
>> Igor we've been through this on the list. Use -j | --border-sniffer-mode.
>>
>> First off, having an unnumbered port only means you MUST use -m, otherwise
>> all traffic is remote.
>
>By "unnumbered" you mean "ip-less", right? And by "MUST" you mean
>"MST in order for for active sessions to be listed", right? I don't
>have to use -m if I don't care about the sessions.
>
>>
>> The only way to be 100% sure is to try the experiment - running tcpdump on
>> your network.
>>
>> Limit it to traffic from, say, a specific host. On my network that would be
>>
>> tcpdump -i eth0 -c 100 -w filename ip and host 192.168.0.xxx
>>
>> You'll need to run it simultaneously on both the mirrored port and on a host
>> on the same switch port (you may have to insert a hub) as the one you pick
>> that isn't mirrored. And then compare the two captures...
>
>When you say "on the same switch port", do you mean "on a port which
>is on the same switch"? Sorry for being picky with the words, I just
>want to eliminate any ambiguity in interpretation of what you're
>saying.
>
>>
>> I'm pretty sure you will find that the MAC addresses have been re-written by
>> the switch to it's own MAC address. If the switch doesn't rewrite the
>> packets, you can run into spanning tree loops. It might even be in the docs
>> (or an option) for your switch.
>
>I need to think a bit more about what I need to do. I'm still not
>100% clear on what I'm looking for in this experiment.
>
>Thanks
>
>Igor
>_______________________________________________
>Ntop-dev mailing list
>[EMAIL PROTECTED]
>http://lists.ntop.org/mailman/listinfo/ntop-dev
>
__________________________________________________
D O T E A S Y - "Join the web hosting revolution!"
http://www.doteasy.com
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://lists.ntop.org/mailman/listinfo/ntop-dev
