Hi,
You may recall that I have constantly been going on about a problem where
ntop would not correctly identify the application level protocol (i.e. port
number) of some traffic.
I now have an example, obtained with ntop 2.0beta20011016.
I use the following protocols.list:
ssh=22,direct_http=80,http_squid=3128|31280,http_junk=8000,ICQ=4000|5190,YIM=5050,ftp=21|20,telnet=23,whois=43,DNS=53,bootp=67|68,finger=79,smtp=25,pop3=110,auth=113,ntp=123,netbios=137|138|139|445,imap2=143,xdmcp=177,irc=6666|6667|6668|6669|66670,ldap=389,notes=1352,ipp=631,ldaps=636,rsync=873,ftps=990|989,telnets=992,imaps=993,pop3s=995,socks=1080,cvs=2401,dict=2628,icpv2=3130,vnc=5900-5960,X11=6000-6015,xfont=7100|7101|7102|7110,swat=901,ssmtp=465,zebra=2600-2606,dnetc=2064,bzflag=5155|5156,cddb=8880
The part the concerns us now is 'vnc=5900-5960'.
I ran 'tcpdump -l -n | adnsresfilter' for a while. This generates huge
amounts of DNS traffic. I did not run anything else, and I certainly did not
run a VNC client.
However, some of my DNS queries went out from ports in the above range
(5900-5960), obviously to port 53 (udp); the replies came from port 53 to
the high port between 5900 and 5960.
ntop reported that I have had VNC traffic, which is incorrect. I merely had
DNS traffic whose client port happened to be one of the VNC server ports.
The correct behaviour would have been to recognize the incoming UDP packet
as a DNS reply and file it under 'DNS traffic'.
(Also note that VNC uses TCP while DNS primarily uses UDP, so implementing
the protocol distinction I requested in my previous message would also
reduce the confusion caused by this bug.)
To sum it up, ntop behaves incorrectly when the protocol list includes port
numbers that will be used as client ports as well as server ports.
Best regards,
Andrew
Ps. I believe the word 'protocol' is used somewhat misleadingly throughout
ntop and its documentation; you actually mean 'tcp or udp based application
level protocol' or 'tcp or udp port number' in most cases. (Note that the
mapping between application level protocols and port numbers is not 'hard',
so ntop does not actually log protocol distribution, only port number
distribution, but this is almost irrelevant.) Sometimes the word 'protocol'
is used to mean 'IP level protocol' or 'transport protocol'. Please consider
adding appropriate qualification to each use of the term.
--
Andrew Korn (Korn Andras) <[EMAIL PROTECTED]>
Finger [EMAIL PROTECTED] for pgp key. QOTD:
Ultimate office automation: networked coffee.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop
