In 2.0.99 versions, you must use the -B option to add a filter. You also need to enclose the -m parameters in "s to getopt sees it as ONE parameter...
A quick check of 2.0 doesn't show the -B code I was looking for. ntop 2.0 seems to depend on getopt: "The default is to permute the contents of argv while scanning it so that eventually all the non-options are at the end. This allows options to be given in any order, even with programs that were not written to expect this." With a bad -m, the 2nd value you think is going to -m is probably part of the filter expression, processed by parseTrafficFilter(argv, optind); (in main.c around 546) The code in parseTrafficFilter() (initialize.c around 1079) should be rejecting the bogus expression and printing an error message, plus returning a code. But that code is ignored in main.c, so that ntop just continues on... Look for one of these messages in the log: FATAL ERROR: wrong filter '%s' (%s) on interface %s\n" or Set filter \"%s\" on device %s." -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chaloupka, Vaclav Sent: Thursday, May 02, 2002 10:34 AM To: '[EMAIL PROTECTED]' Subject: [Ntop] ntop filter expression Hi, I have a purchase copy of the compiled Windows version of ntop (version 2.0 built on 27/12/2001) running on Windows NT. I have also installed WinPcap 2.3. It is installed on Compaq machine using Ethernet adapter (\Device\Packet_CpqNF31) I'd like to monitor traffic from and to another server (AS/400). The ntop PC is connected to a switch with port mirroring enabled for the port with the AS/400 (so it can see all the traffic from and to the AS/400). I start ntop with following parameters: C:\Program Files\ntop-Win32\ntop.exe -m <site IP>/16 src host> <AS/400 address> or dst host <AS/400 address> Where <AS/400 address> is the IP address of the AS/400 and the <site IP> is the class B address of the site (I'd like to differentiate between the traffic originated lically from the site and the traffic coming over WAN). The site has class B subnet. THE PROBLEM is that I see traffic from the other machines to the machine where ntop is installed. So it seems that the filter is not working. I also tried the filter expressions host <AS/400 address> and IP host <AS/400 address> But all three settings gave me SAME RESULTS! On the bottom of the report I can read Generated by ntop v.2.0 MT [WinNT/2K/XP] (27/12/2001 build) listening on [\Device\Packet_CpqNF31] without a kernel (libpcap) filtering expression Why does it say "without a kernel (libpcap) filtering expression" when I did specify the filters? Could you please help? Thank you Kind regards Vaclav ------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (Whitehouse Station, New Jersey, USA) that may be confidential, proprietary copyrighted and/or legally privileged, and is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please immediately return this by e-mail and then delete it. ============================================================================== _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
