I've been testing NTOP CVS 2.2.98 on a large network. I appreciate your work on this project -- I find it very useful. I also appreciate the changes you have made for finer grain control of features for large networks (e.g., breaking apart -j, adding remote hosts when using -g, etc.).
However, when using -o | --no-mac for the reasons discussed in your documentation, I would still like ntop to report/track the MAC address associated with the IP. In other words, "Don't trust MAC addresses", but still report them for local hosts. Perhaps this could be an option to --no-mac which could be enabled/disabled.
With some tweaking, this would be useful in circumstances where a host inside the network is generating random, non-local, source IP addresses (recent malware feature), i.e., the source IP is not in -m (effective) but the source MAC address matches one that is. Or, it would be useful in a large, flat network in other circumstances. Obviously, I understand that the MAC displayed could be an intermediate router or switch rather than the actual host, but it is still valuable information. I also believe others who use port/VLAN mirroring (with somewhat reliable Layer 2 information) would appreciate this feature.
Regards, Ken Beaty
_______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
