Hello all!
When you have 2 NIC's ... eth0 collecting data from a switch port eth1 collecting NetFlow from a router Im thinking the -M option SHOULD be set so NTOP does not merge together eth0 and eth1 (or NetFlow device)? Would I be correct in saying this, or would the nature of NTOP already be not to merge data between a regular interface and a logical NetFlow interface? Thanks, Blake --- "Burton M. Strauss III" <[EMAIL PROTECTED]> wrote: > > Assuming you only care about netFlow, you are > correct. You only need to > monitor (real) NICs that you want to collect data > from. Whether you use > that data only to display ntop's web pages or to > forward to a netFlow > receiver is irrelevant. Cigarillo... > > "why is the NetFlow-device interface created when > you turn on the plugin?" > > Basically, there is a large, dynamic data structure > in ntop that holds all > the information about a device, collected, sniffed, > etc. from the packets. > ntop creates one if it's merging data or multiples > if it's not merging data, > one per "device". So, ntop creates another one of > these structures to hold > the information it receives via netFlow packets when > it's acting as a > netFlow receiver. That way, all the reporting logic > just works... it > doesn't know the difference. > > The structure has to be created before the first > netFlow packet is received, > i.e. when we KNOW -- based on the persistent > settings for the plugin, or > your setting the port # -- that we'll be dealing > with inbound netFlow data. > > > -----Burton > > > > -----Original Message----- > From: Blake [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 27, 2002 2:08 PM > To: Burton M. Strauss III; [EMAIL PROTECTED] > Subject: RE: [Ntop] NetFlow Overview > > > Thanks for the reply (even though you are on > vacation) > > SO here is my current config, and it appears as > though > I am receiving NetFlow packets from the router. So, > I > should not enable any of the following devices > unless > I am exporting NetFlow data from that device to a > remote NetFlow collector ... cigar? > > In order to receive NetFlow from a router, I just > need > to enable the plugin and specify the UDP port. > > By the way, why is the NetFlow-device interface > created when you turn on the plugin? Of course I > saw > NOTE: #4 A virtual NetFlow device is activated only > when incoming flow capture is enabled --- but I dont > understand its purpose. > > ############## > CURRENT CONFIG > ############## > > Interface Name NetFlow Enabled > eth0 No > eth1 No > NetFlow-device No > > > WARNING: as all the interfaces are disabled, no > flows > will be exported > > Flow Statistics > # Pkts Rcvd.value 124 > # Flows Rcvd.value 3,720 > # Flow with Bad Version 0 > Flow Senders 192.168.2.1 [124 pkts] > > > > > --- "Burton M. Strauss III" <[EMAIL PROTECTED]> > wrote: > > Pick one: > > > > Wrongo dragon breath... > > Close grasshopper, but no cigar... > > > > > > Separate the two activities of netFlow in your > mind. > > THEY DO NOT OVERLAP! > > > > When ntop is acting as a receiver of netFlow data, > > it receives the packets > > on the specified port and stores the data in it's > > internal structures just > > like data collected off another network card. > Hence > > you switch "NICs" to > > report on the netFlow data. > > > > When ntop is acting as a collector of netFlow > data, > > it collects information > > from it's network cards and sends that off to some > > netFlow receiver. You > > can monitor the data ntop has received just like > > normal, but you can't > > monitor the data ntop has sent via netFlow to > > another device, you have to > > use that device to monitor it... > > > > You started ntop ... -i eth0 ... that's why you > > only have the two devices, > > eth0 and netFlow. Because that's all you've told > > ntop to monitor... how > > about ... -i eth0,eth1 ... ??? > > > > If you are only using ntop to receive netFlow > data, > > you may have a problem. > > IIRC, it won't run without monitoring at least one > > (real) NIC. I might be > > wrong... I suppose you could always monitor the > > local loopback (-i lo). > > Once it's up? As I've said before, the data > > collected by netFlow somewhere > > else and sent to ntop is presented via the netFlow > > pseudo-nic. > > > > You're right it won't have session and other > > detailed data - that's not in > > the flows (look at the header files, you'll see > > what's being "recorded"). > > > > > > -----Burton > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Blake > > Sent: Friday, September 27, 2002 12:09 PM > > To: [EMAIL PROTECTED] > > Subject: [Ntop] NetFlow Overview > > > > > > Hopefully someone can assist my ignorance in > regards > > to using NTOP as a NetFlow collector. If not ... > > thats cool! Just thought I would ask. I just > have > > a > > few basic questions, which are listed below after > I > > describe my environment. > > > > ------------------------- > > My environment explained; > > ------------------------- > > > > ########### > > NTOP SERVER > > ########### > > > > ./ntop -a ntop.access.log -i eth0 -w > 10.4.4.51:3999 > > -m > > 10.0.0.0/255.0.0.0,192.168.0.0/255.255.0.0 -p > > protocol.list -E -P /eth1/ -u ntopuser -d > > > > RH7.3 > > ntop-02-09-25 > > Dell Pentium PC -- 2 NICS > > ETH0 10.4.4.51 (web server listening) > > ETH1 1.1.1.1 (Cisco switch port monitoring router > > port) > > NetFLow pluging: enabled > > Local Collector UDP port: 2055 > > > > Interface Name NetFlow Enabled > > eth0 Yes > > NetFlow-device No > > > > Flow Statistics > > # Pkts Rcvd.value 366 > > # Flows Rcvd.value 10,980 > > # Flow with Bad Version 0 > === message truncated === __________________________________________________ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos & More http://faith.yahoo.com _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
