RE: [Ntop] ntop interaction with ip filtering?

Thu, 18 Apr 2002 08:01:51 -0700 

Not a clue - you don't tell us what your environment is!

Ultimately it depends on the OS and NIC (remember, some high-end NICs do a
LOT of processing on-board and drop "junk") others just buffer off the wire
and interrupt the CPU and let IT deal with it.  TCP/IP stacks differ in how
they handle "bad" packets, where they provide hooks, etc.

ntop uses the standard libpcap library, the same as used by tcpdump,
ethereal, snort, et al.  If those tools see the packets, ntop will.  If they
don't, ntop won't.  Tools like ntop use libpcap to hide from the crushing
burden of OS- and NIC- specific differences.

Some basic pointers:

First off, check the libpcap "home page"

    http://www.tcpdump.org/

This points you at:

    http://www.cse.nau.edu/~mc8/Socket/Tutorials/section1.html

A small Google search (libpcap filtering) gives these:

    http://www.whitefang.com/rin/rawfaq.html#3
    http://www.tcpdump.org/lists/workers/2001/10/msg00114.html
    http://winpcap.polito.it/misc/changelog.htm

Logically, most packets have to be seen before filtering because otherwise
IDS etc. tools would be useless in some environments...  This doesn't mean
it can see all the wire level junk...

You're going to have do to some research yourself on the low-level dirty
details of your OS and NIC.

-----Burton

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Harris, James
Sent: Wednesday, April 17, 2002 10:21 AM
To: '[EMAIL PROTECTED]'
Subject: [Ntop] ntop interaction with ip filtering?


Hi all --

I hope this question isn't too stupid (or a repost), but I'm curious.  If I
have ip filtering on an interface that I've told ntop to monitor, will it
affect what ntop sees?  In other words, does ntop get the packet before or
after the filter, or, do ntop and filtering occur in parallel, thus, not
affecting what ntop sees?

Thanks a million for any info!  I'd love it if someone could provide a
brief, but educational explanation on how the packet is treated under this
situation -- this is a hole in my knowledge and I'd love to fill it!

--Jim
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop

Reply via email to