For now it will have to live as an open feature request.... My capabilities end at basic PERL and advanced bash scripting.... Any takers on this challenge? :-))
-- J. Eric Josephson Director of Network and System Operations 978-720-2159 mailto:[EMAIL PROTECTED] "Burton Strauss" <[EMAIL PROTECTED] To: <[email protected]>, <[email protected]> rt.com> cc: Sent by: Subject: RE: [Ntop] ntop and other IP protocols [EMAIL PROTECTED] i.it 02/22/2005 05:26 PM Please respond to ntop Code it :-) But let's take this to ntop-dev... Please respond only there... Layer 3 protocols are defined to ntop in globals-core.c: addNewIpProtocolToHandle("IGMP", 2, 0 /* no proto */); addNewIpProtocolToHandle("OSPF", 89, 0 /* no proto */); addNewIpProtocolToHandle("IPSEC", 50, 51); And processed in pbuf.c: processIpPkt() switch(nh) { #ifdef INET6 case IPPROTO_FRAGMENT: ... case IPPROTO_TCP: ... case IPPROTO_UDP: ... ... default: if(srcHost->ipProtosList != NULL) { protoList = myGlobals.ipProtosList; idx = 0; while(protoList != NULL) { if((protoList->protocolId == nh) || ((protoList->protocolIdAlias != 0) && (protoList->protocolIdAlias == nh))) { if(srcHost->ipProtosList) { if(srcHost->ipProtosList[idx] == NULL) { srcHost->ipProtosList[idx] = calloc(sizeof(ShortProtoTrafficInfo), 1); if(srcHost->ipProtosList[idx] == NULL) return; } incrementTrafficCounter(&srcHost->ipProtosList[idx]->sent, length); } if(dstHost->ipProtosList) { if(dstHost->ipProtosList[idx] == NULL) { dstHost->ipProtosList[idx] = calloc(sizeof(ShortProtoTrafficInfo), 1); if(dstHost->ipProtosList[idx] == NULL) return; } incrementTrafficCounter(&dstHost->ipProtosList[idx]->rcvd, length); } if(myGlobals.device[actualDeviceId].ipProtosList) incrementTrafficCounter(&myGlobals.device[actualDeviceId].ipProtosList[idx], length); found = 1; break; } idx++, protoList = protoList->next; } } ... As you can see, when ntop gets down to ones it doesn't have decoders for (e.g. those specified in the addNewIpProtocolToHandle() lines, it just accumulates them. Adding support for a new L3 protocol isn't hard, it just takes some understanding of what's reasonable / appropriate / realistic to analyze and count. As for reporting, anything specified in addNewIpProtocolToHandle() IS broken out in the All Protocols | Traffic report. Scroll right... And it's broken out in the per-host pages (Global Protocol Distribution). It's not actually part of Global TCP/UDP Protocol Distribution's "Other TCP/UDP-based Protocols". So... For PPTP, you need to add the addNewIpProtocolToHandle() line. Actual reporting is in report.c printIpProtocolDistribution(). -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 22, 2005 3:35 PM To: [email protected] Subject: [Ntop] ntop and other IP protocols I have a great deal of IPSec (IP Protocol 50) and PPTP traffic (gre Protocol 47) going in and out of my network. Is there a way to get NTOP to break out (in general terms) the Protocol 50 traffic and the Protocol 47 traffic so I can tell them apart from other miscellaneous traffic using the TCP and UDP protocols? Perhaps some sort of regular expression to spoof it as some sort of other protocol to NTOP? -- J. Eric Josephson Director of Network and System Operations 978-720-2159 mailto:[EMAIL PROTECTED] _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
