When I get some time I will check out latest SVN source and enable debug. Little more info on the MAC address thing, if it's enabled only my routers and my core switch show up under local traffic. My LAN traffic and remote traffic show up under remote traffic only. If I disable MAC addressing from the command line every thing displays as it should. I do have multiple VLANS and they are specified in the command line startup. And I'm sniffing on spanning mirrored port, not using net flows.
I just turned on tcpdump looking at my DNS traffic on the server in question will let ya know what I find. Cheers, Eric On Tue, Oct 11, 2011 at 9:50 AM, Gary Gatten <[email protected]> wrote: > Weird... > > That mac address "-o" thing causes more trouble.... > > So, IP's in your local and remote network ranges resolve, it's just slow? > > There are many debug options you can enable, but will require a recompile. > I would use tcpdump to capture dns traffic between ntop and your dns > server(s). Analyze that first before messing with the debug stuff. > > G > > > *From*: Eric Peters [mailto:[email protected]] > *Sent*: Tuesday, October 11, 2011 11:24 AM > > *To*: [email protected] <[email protected]> > *Subject*: Re: [Ntop] DNS Resolution half working > > What I see from my environment, DNS resolves SLOW! I'm able to resolve from > inside and outside my network, but takes hours to update. I'm also running a > caching BIND server on the same server to see if that would speed things up, > which it's not? Also on a side note for Ntop to work correctly separating my > local and remote traffic I had to to turn off MAC addresses via > the command line -o > > Cheers, > Eric > > > On Tue, Oct 11, 2011 at 6:05 AM, Gary Gatten <[email protected]> wrote: > >> Caching likely has nothing to do with it. Do you notice if only your >> "remote" networks resolve, or only your "local", or do IP from local AND >> remote networks resolve. If one type of hosts is consistently not resolving >> it's prolly a bug is the resolution code >> >> ----- Original Message ----- >> From: Charles Gagnon [mailto:[email protected]] >> Sent: Tuesday, October 11, 2011 06:51 AM >> To: [email protected] <[email protected]> >> Subject: Re: [Ntop] DNS Resolution half working >> >> I'm surprised there is no caching. I just can't get ntop to resolve >> the IPs and show the names. It works in only about half the IPs and I >> have no idea why. >> >> Looking at the "throughput" table, I will see some entries resolved >> properly: >> >> sys1.unixrealm.com >> >> While others show the ip: >> >> 192.168.213.42 [IP] >> >> I can't figure out why this happens. I tested and re-tested my DNS and >> these IPs resolve fine. Not sure why ntop won't handle it. Maybe it >> should cache? >> >> >> On Mon, Oct 10, 2011 at 2:05 PM, Gary Gatten <[email protected]> wrote: >> > Lol! I have dns issues, but different than your. If I rul more than a >> sinle resolution thread ntop will die a horrible death. >> > >> > There's no dnscache.db for some time now. If u want caching try a >> caching resolver. I used bind. >> > >> > What do you want to start from scratch? There's no caching or other >> history related to resolution. >> > >> > After reviewing your problem it seems to be something with your dns >> and/or local resolver conf. What exactly is the issue? >> > >> > ----- Original Message ----- >> > From: Charles Gagnon [mailto:[email protected]] >> > Sent: Monday, October 10, 2011 12:57 PM >> > To: [email protected] <[email protected]> >> > Subject: Re: [Ntop] DNS Resolution half working >> > >> > Nobody has DNS resolition issues? >> > >> > Did something replace dnsCache.db? Which of the DB files would I need >> > to restart from scratch? >> > >> > On Wed, Sep 28, 2011 at 7:32 AM, Charles Gagnon <[email protected]> >> wrote: >> >> These are all private servers. We use private addresses inside and NAT >> >> out to the internet. All my servers use internal DNS servers. I have >> >> /etc/resolv.conf setup as it should and nsswitch.conf says: >> >> >> >> hosts: files nis dns >> >> >> >> So I'm thinking gethostbyaddr() should work fine. I feel like >> >> resolution was attempted at some point and results were cached and now >> >> it's not retrying. But I can't find "dnsCache.db" yet the man page >> >> still refers to it. >> >> >> >> I started with: >> >> >> >> # ntop -P /usr/local/var/ntop -u ntop -d >> >> >> >> And this is what I have: >> >> >> >> [root@sys1 ~]# ls -l /usr/local/var/ntop/ >> >> total 2072 >> >> -rw-r----- 1 ntop ntop 225280 Sep 27 09:20 fingerprint.db >> >> -rw-r----- 1 ntop ntop 1986634 Sep 26 12:55 macPrefix.db >> >> -rw-r----- 1 ntop ntop 12546 Oct 21 2010 ntop_pw.db >> >> -rw-r----- 1 ntop ntop 14094 Sep 27 09:20 prefsCache.db >> >> drwxrwxrwx 5 ntop ntop 4096 Oct 21 2010 rrd >> >> >> >> >> >> On Tue, Sep 27, 2011 at 10:24 PM, Burton Strauss III >> >> <[email protected]> wrote: >> >>> 192.168.x.x/16 is the private space (RFC 1913). So no public facing >> DNS >> >>> server would resolve those. It would only be resolved if you were >> pointing >> >>> to your internal DNS server AND it was setup to manage the specific >> zone. >> >>> So the question is where is nslookup getting names from? >> >>> >> >>> >> >>> >> >>> -----Burton >> >>> >> >>> %QUOTE% >> >>> >> >>> -----Original Message----- >> >>> From: [email protected] >> >>> [mailto:[email protected]] On Behalf Of Charles >> Gagnon >> >>> Sent: Tuesday, September 27, 2011 1:12 PM >> >>> To: [email protected] >> >>> Subject: [Ntop] DNS Resolution half working >> >>> >> >>> I searched for references and I can't find what this error could be. >> >>> When listing hosts (specially in the throughput list I use a lot), >> some >> >>> hosts get resolved and others don't and I can't figure out why. >> >>> I've setup DNS resolution to 'All' (though I tried "local" and "Local >> >>> + Remote"). >> >>> >> >>> When I look at the list, a number of items have names, others should >> the IP >> >>> with "[IP]" after. Seems very consistent, the same hosts are resolved >> and >> >>> the same show IPs between restarts. >> >>> >> >>> I was thinking of flushing out dnsCache.db but I don't that exists in >> >>> 4.1.0 (gone since 3.x maybe?). >> >>> >> >>> When I dump the hosts, I see some with names and others without: >> >>> >> >>> 192.168.206.11|0|'192.168.206.11'|'192.168.206.11'|[...] >> >>> 192.168.206.10|0|'192.168.206.10'|'hhnas01'|[...] >> >>> 192.168.206.13|0|'192.168.206.13'|'192.168.206.13'|[...] >> >>> 192.168.206.12|0|'192.168.206.12'|'192.168.206.12'|[...] >> >>> 192.168.206.15|0|'192.168.206.15'|'hhutil01'|[...] >> >>> 192.168.206.14|0|'192.168.206.14'|'192.168.206.14'|[...] >> >>> >> >>> Any ideas? Any other "cache" I can get rid of. Testing with nslookup >> yields >> >>> a name for all those IPs. >> >>> >> >>> -- >> >>> Charles Gagnon >> >>> charlesg at unixrealm.com >> >>> _______________________________________________ >> >>> Ntop mailing list >> >>> [email protected] >> >>> http://listgateway.unipi.it/mailman/listinfo/ntop >> >>> >> >>> _______________________________________________ >> >>> Ntop mailing list >> >>> [email protected] >> >>> http://listgateway.unipi.it/mailman/listinfo/ntop >> >>> >> >> >> >> >> >> >> >> -- >> >> Charles Gagnon >> >> charlesg at unixrealm.com >> >> >> > >> > >> > >> > -- >> > Charles Gagnon >> > charlesg at unixrealm.com >> > _______________________________________________ >> > Ntop mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> > >> > >> > >> > >> > <font size="1"> >> > <div style='border:none;border-bottom:double windowtext >> 2.25pt;padding:0in 0in 1.0pt 0in'> >> > </div> >> > "This email is intended to be reviewed by only the intended recipient >> > and may contain information that is privileged and/or confidential. >> > If you are not the intended recipient, you are hereby notified that >> > any review, use, dissemination, disclosure or copying of this email >> > and its attachments, if any, is strictly prohibited. If you have >> > received this email in error, please immediately notify the sender by >> > return email and delete this email from your system." >> > </font> >> > >> > _______________________________________________ >> > Ntop mailing list >> > [email protected] >> > http://listgateway.unipi.it/mailman/listinfo/ntop >> > >> >> >> >> -- >> Charles Gagnon >> charlesg at unixrealm.com >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> >> >> >> >> <font size="1"> >> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in >> 0in 1.0pt 0in'> >> </div> >> "This email is intended to be reviewed by only the intended recipient >> and may contain information that is privileged and/or confidential. >> If you are not the intended recipient, you are hereby notified that >> any review, use, dissemination, disclosure or copying of this email >> and its attachments, if any, is strictly prohibited. If you have >> received this email in error, please immediately notify the sender by >> return email and delete this email from your system." >> </font> >> >> _______________________________________________ >> Ntop mailing list >> [email protected] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. If you > are not the intended recipient, you are hereby notified that any review, > use, dissemination, disclosure or copying of this email and its attachments, > if any, is strictly prohibited. If you have received this email in error, > please immediately notify the sender by return email and delete this email > from your system." > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > >
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
