This probably should have gone to the user list, not the devel list. However..
The -m using the correct internal network should have been all you needed. The --known subnets makes things nice, but isn't required. We use this all over the place. The only time we have missing hosts is when there are strange vlan configs or tags. When in doubt, open it WAY up, like -m 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. Then you'll see all the internal stuff. After that you can weed out what you don't want to see. Also, if this is inline like running on a firewall, you don't need the -o. If its a monitor/mirror/span port then you'll need that. On 7/15/09 1:23 PM, "Robert Socha" <[email protected]> wrote: > First, sorry for my bad english. It's not my native language. > > I have encounter strange problem with ntop. I don't know if it is a > bug or my error in ntop configruation. > > My network topology: > > Linux box with two interfaces: > > eth0 - x.x.x.10/30 - default gw -> x.x.x.9/30 > eth1 - y.y.y.193/27 - dmz > eth1:1 - 192.168.200.1/30 - link to my switch (managed) > > I wanted to monitor traffic on eth1 subnet (local only, no remote hosts) > > My first step was that ntop config: > > ntop -i eth1 -g -m y.y.y.193/27 -n -o -z -c > > But ntop added for eth1:1 interface default subnet 0.0.0.0 and because > of this ntop monitor local and remote traffic. > > My second try was this: > > ntop -i eth0 -g -m y.y.y.193/27 -n -o -z -c --known-subnets y.y.y.193/27 > > And this almost worked for me. Problem was that some hosts from > y.y.y.193/27 network were missing > > for example: > y.y.y.193 - ok > y.y.y.194 - ok > y.y.y.195 - missing > y.y.y.196-198 - ok > y.y.y.199 - missing > etc > > Every hosts modulo 4 was missing (4 host == prefix for eth0 > interface). I seems that ntop use eth0 network mask to filter hosts > from -m subnet paramter. > > My solution for this problem was to "hack" source of ntop to change > subnet for eth0 to make this config work for me. ( i simply set > netmask of eth0 == eth1 in source file initialize.c) > > My question is: > > is this ntop config ok? > > ntop -i eth0 -g -m y.y.y.193/27 -n -o -z -c --known-subnets y.y.y.193/27 > > > I tested this on ntop 3.3.8 and 3.3.9 and olders (i was unable to > compile 3.3.10 on my centos 5.3 box with default toolchain) > > I hope you understand me :) > > Greetings > _______________________________________________ > Ntop-dev mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop-dev Frank Eargle II Information Security Analyst SC Computer Incident Response Team The Division of State Information Technology (DSIT) 4430 Broad River Rd Columbia, SC 29210 803-896-1650 SC-ISAC Response Center 803-896-0711 Direct Line http://sc-isac.sc.gov <blocked::http://sc-isac.sc.gov> _______________________________________________ Ntop-dev mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop-dev
