I don't know about that. I have logged both Kazaa and Gnutella traffic using the ports given for communcation with those systems. Gnutella does almost all of it's P2P communication on one port and I believe Kazaa is the same way. Neither of them show traffic in the Other ports section.
Thanks, Chris -----Original Message----- From: Peter Backx [mailto:[EMAIL PROTECTED]] Sent: July 16, 2002 6:46 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] Data missing? This is not because of a malfunction in ntop. It is related to the protocol that WinMX and Kazaa use and the way ntop classifies network traffic. Ntop classifies traffic based on the port numbers that the traffic is sent to or received from. This works ok for a connection from your client to the server, since most servers for the same protocol run on the same well-known port. However, if you download a file a connection is set up between two clients on arbitrary ports (sometimes it's possible to limit the range from which port number are chosen). Since Ntop does not know about these ports and cannot know about these in advance, the traffic is logged in other IP (because usually high port numbers are chosen that are not associated to a specific protocol). If you want to log all WinMX traffic you'd need to analyze the traffic that is sent and received from the WinMX server(s) to pick up the port numbers that are chosen for the transfers. However, it's not easy to do this: First you need the protocol description of your p2p client. For both of the examples you gave these are not available, so you'd need cooperation from the authors or a lot of patience to reverse engineer the protocol. Secondly you could put this functionality in an ntop plug-in, however plug-ins receive packets on the IP level, so you need to reconstruct the TCP packets, which is not an easy task, and it is double work since reconstruction is done in ntop anyway (can't remember the exact place, but it isn't hard to find "handleSession" or something). So you'll need to hack up the ntop source code, which (with all due respect for Luca) is quiet messy (or at least it used to be a year back when I was actively using ntop, I think this has changed with the recent rewrite of large portions of the program). If you feel upto the task, there used to be some code for the Napster protocol in ntop, so you might want to find an old version which has this, to see how it could be done. If you need any specific help I'd gladly help here and there, since this is functionality that I could use too, however I don't have time to do this on my own. Also, do not underestimate the complexity of what you are asking (f.i. try to look at the protocol of Gnutella at http://rfc-gnutella.sourceforge.net/) regards, Peter > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > THOMAS KIHLBERG > Sent: Tuesday, July 16, 2002 3:10 PM > To: [EMAIL PROTECTED] > Subject: [Ntop] Data missing? > > > Hi! > > I had a similar question one week ago but we still havnt found the > solution: I use WinMX and Kazaa in a quite "summerdear" net in a > univerity in Stockholm. We try to get ntop to register when we download. > And we download and we download, but just a few bytes register and not > in the column of WinMX or Morpheus but seems to get to the column > OtherIP. We now use ntop2.1 and start the process with: > /usr/local/bin/ntop -P /usr/local/bin/ -u root -E -S 2. > > We use RedHAt 7.3 and the program seem to work and determine the right > DHCP servers, routers and so on. Do we have to do any more configs? Do > we maybe need f.e. TCPWrappers? Its absent in the Current ntop config. > Im sorry for almost the same question, but we try to learn :) > > Thomas K and Niclas K, Stockholm > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://lists.ntop.org/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
