Code it :-)
But let's take this to ntop-dev... Please respond only there...
Layer 3 protocols are defined to ntop in globals-core.c:
addNewIpProtocolToHandle("IGMP", 2, 0 /* no proto */);
addNewIpProtocolToHandle("OSPF", 89, 0 /* no proto */);
addNewIpProtocolToHandle("IPSEC", 50, 51);
And processed in pbuf.c: processIpPkt()
switch(nh) {
#ifdef INET6
case IPPROTO_FRAGMENT:
...
case IPPROTO_TCP:
...
case IPPROTO_UDP:
...
...
default:
if(srcHost->ipProtosList != NULL) {
protoList = myGlobals.ipProtosList;
idx = 0;
while(protoList != NULL) {
if((protoList->protocolId == nh)
|| ((protoList->protocolIdAlias != 0) &&
(protoList->protocolIdAlias == nh))) {
if(srcHost->ipProtosList) {
if(srcHost->ipProtosList[idx] == NULL) {
srcHost->ipProtosList[idx] =
calloc(sizeof(ShortProtoTrafficInfo), 1);
if(srcHost->ipProtosList[idx] == NULL) return;
}
incrementTrafficCounter(&srcHost->ipProtosList[idx]->sent,
length);
}
if(dstHost->ipProtosList) {
if(dstHost->ipProtosList[idx] == NULL) {
dstHost->ipProtosList[idx] =
calloc(sizeof(ShortProtoTrafficInfo), 1);
if(dstHost->ipProtosList[idx] == NULL) return;
}
incrementTrafficCounter(&dstHost->ipProtosList[idx]->rcvd,
length);
}
if(myGlobals.device[actualDeviceId].ipProtosList)
incrementTrafficCounter(&myGlobals.device[actualDeviceId].ipProtosList[idx],
length);
found = 1;
break;
}
idx++, protoList = protoList->next;
}
}
...
As you can see, when ntop gets down to ones it doesn't have decoders for
(e.g. those specified in the addNewIpProtocolToHandle() lines, it just
accumulates them.
Adding support for a new L3 protocol isn't hard, it just takes some
understanding of what's reasonable / appropriate / realistic to analyze and
count.
As for reporting, anything specified in addNewIpProtocolToHandle() IS broken
out in the All Protocols | Traffic report. Scroll right... And it's broken
out in the per-host pages (Global Protocol Distribution). It's not actually
part of Global TCP/UDP Protocol Distribution's "Other TCP/UDP-based
Protocols".
So... For PPTP, you need to add the addNewIpProtocolToHandle() line. Actual
reporting is in report.c printIpProtocolDistribution().
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, February 22, 2005 3:35 PM
To: [email protected]
Subject: [Ntop] ntop and other IP protocols
I have a great deal of IPSec (IP Protocol 50) and PPTP traffic (gre Protocol
47) going in and out of my network. Is there a way to get NTOP to break out
(in general terms) the Protocol 50 traffic and the Protocol 47 traffic so I
can tell them apart from other miscellaneous traffic using the TCP and UDP
protocols? Perhaps some sort of regular expression to spoof it as some sort
of other protocol to NTOP?
--
J. Eric Josephson
Director of Network and System Operations
978-720-2159
mailto:[EMAIL PROTECTED]
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop-dev mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
