Re: [Ntop] differentiate between outgoing and incoming traffic...? (wishlist)

Mon, 10 Dec 2001 13:43:02 -0800 

On Mon, Dec 10, 2001 at 08:09:07PM +0100, Michael Weidel wrote:

Hi,

> > I'm under the impression that ntop's application level protocol summation
> > doesn't distinguish between outgoing and incoming traffic. It only uses the
> > port number on the remote host to determine the 'protocol'.
> > 
> > Is this assumption correct?
> 
> I don't know exactly what you mean but I think the answer is: ntop
> distinguishes between outgoing and incoming traffic.

Yes, but I think the "protocol statistics" thing is terribly confused by
some traffic.

> > I expect to see a separate chart for 'outgoing' and for 'incoming' traffic,
> > where protocols are distinguised by remote and local port numbers
> > respectively.
> 
> You can look at the incoming traffic of every host: Data Rcvd - TCP/UDP
> You can sort this by any protocol. Perhaps you have to define your own
> protocols using your own file protocols.txt and start ntop with "-p
> protocols.txt".

I can do that, and indeed have. However, I think that for outgoing traffic
_served_ by my computer, ntop will use the remote port number to identify
the protocol, not the local one.

E.g. if a user connects to my port 80, and the remote port happens to be,
say, 6667, all the data my webserver sends will be registered as "irc
traffic", because the remote port is the ircd port.

Please correct me if I'm wrong.

> > E.g. everything that goes out from our local port 80 is outgoing http.
> > Everything that comes in from a remote port 80 is incoming http. And so on.
> 
> Is this a switched environment?

Irrelevant. I want to meter the traffic distribution of a single box.

> > Did you consider implementing such a feature?
> You can also make your own plugin...

I'm not a very good C programmer, so I'd rather not. :)

> > It would also be nice if ntop could produce statistics of IP protocol
> > distribution (i.e. TCP/UDP/ICMP/IGMP/RSVP/etc).
> 
> And here again: I don't know if I understand you right, but as far as I
> know ntop can do that.

It can't (or at least I couldn't make it to). It just knows TCP, UDP and
ICMP; the rest is labeled "other IP".

Andrew

-- 
            Andrew Korn (Korn Andras) <[EMAIL PROTECTED]>
             Finger [EMAIL PROTECTED] for pgp key. QOTD:
                     Truth is just another misconception.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop

Reply via email to