Yes, you are being dense... It's all based on what ntop SEES in the packets. Repeat: ntop sees packets and ONLY packets. Packets have a FROM and a TO address. Which packets ntop sees is determined by the interfaces it is monitoring. Traffic is classified based on the joint classification of the FROM address (L or R) and the TO address (L or R).
Only in L->L traffic will ntop see sent=rcvd.
Host: 192.168.1.x www.yahoo.com
L->R R->L L->R R->L
S R S R S R S R
192.168.1.x>www.yahoo.com
HTTP GET ... 30 . . . . . . 30
www.yahoo.com>192.168.1.x
HTTP 200 . . . 8 8 . . .
www.yahoo.com>192.168.1.x . . .200 200 . . .
<html>...</html>
etc.
It does show up on the L->R and R->L pages (see the attached).
What ntop doesn't do is to double count the data in it's totals.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim
Johnson
Sent: Saturday, October 12, 2002 10:56 PM
To: [EMAIL PROTECTED]
Cc: Burton M. Strauss III
Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote"
totals don't equal.
I'm smacking myself, but I still don't get it. Let me ask a slighty
different question then. What traffic causes the "Data Rcvd" column to
increment? Your example below seems to only address the "Data Sent"
column.
I'm sorry for being so stupid, but if you could do your example with
both the data received and data sent columns I think that I'd finally
get it.
Thanks for all of your help,
Jim
-----Original Message-----
From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]]
Sent: Saturday, October 12, 2002 1:18 PM
To: [EMAIL PROTECTED]
Cc: Jim Johnson
Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote"
totals don't equal.
Yeah, it's so simple that you're going to smack yourself...
Think about what SEND and RECEIVED means. Think about what ntop sees...
ntop sees what's on the wire and classifies it based on the interface
IPs
and the -m parameter. It would only be symetric if it was L-L traffic.
192.168.1.1 -> www.yahoo.com: HTTP GET xxxxx.....
30 bytes L->R
www.yahoo.com -> 192.168.1.1: 200 OK
10 bytes R->L
www.yahoo.com -> 192.168.1.1: <html> .... </html>
2000 bytes R->L
etc.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim
Johnson
Sent: Saturday, October 12, 2002 10:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote"
totals don't equal.
To use your example, why doesn't the 30 byte request show up as data
sent traffic on the L->R page and also as data received on the R->L
page. For the couple meg reply why doesn't that show up as data sent
traffic on the R->L page and also as data received on the L->R page?
In my mind all data sent on the L->R page would also be seen as data
received on the R->L page. Also all data sent on the R->L page would
also be seen as data received on the L->R page. Basically I don't
understand how a local host can have data sent to a remote host that
isn't also data received by the remote host and vice-versa.
I'm sure it's something simple that I'm not understanding, but I still
don't get it.
-----Original Message-----
From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]]
Sent: Saturday, October 12, 2002 8:33 AM
To: [EMAIL PROTECTED]
Cc: Jim Johnson
Subject: RE: [Ntop] IP Traffic "remote to local" and "local to remote"
totals don't equal.
Um... why the HECK should it?
You send "HTTP GET abc.html", so that's what, 30 bytes L->R
You get back a couple of Meg of web page and images, R->L
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim
Johnson
Sent: Thursday, October 10, 2002 2:19 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] IP Traffic "remote to local" and "local to remote"
totals don't equal.
On my "IP Traffic" page at the bottom it lists your total traffic. Why
don't the "remote to local" and "local to remote" totals equal each
other? Wouldn't all traffic sent from a remote host to a local host
show up on the R->L page as data sent from the remote host and on the
L->R page as data received by a local host? If so shouldn't the two
"total traffic" numbers on the R->L and L->R pages equal each other?
I'm running ntop v.2.1.51 on RedHat 8.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
Title: Local IP Traffic
Local IP Traffic
Report created on Sun Oct 13 07:52:04 2002 [10:05] Generated by ntop v.2.1.51 MT (SSL) [i386-unknown-freebsdelf4.6.2] (09/30/02 05:54:11 PM build) listening on [xl0] without a kernel (libpcap) filtering expression © 1998-2002 by Luca Deri | ||||||||||||||||||||||||||||||||
Local to Remote IP Traffic
Report created on Sun Oct 13 07:52:01 2002 [10:02] Generated by ntop v.2.1.51 MT (SSL) [i386-unknown-freebsdelf4.6.2] (09/30/02 05:54:11 PM build) listening on [xl0] without a kernel (libpcap) filtering expression © 1998-2002 by Luca Deri | ||||||||||||||||||||
Remote to Local IP Traffic
Report created on Sun Oct 13 07:51:56 2002 [9:57] Generated by ntop v.2.1.51 MT (SSL) [i386-unknown-freebsdelf4.6.2] (09/30/02 05:54:11 PM build) listening on [xl0] without a kernel (libpcap) filtering expression © 1998-2002 by Luca Deri | ||||||||||||||||||||
Network Traffic: Total Data (Sent+Received)
Report created on Sun Oct 13 07:57:44 2002 [15:45] Generated by ntop v.2.1.51 MT (SSL) [i386-unknown-freebsdelf4.6.2] (09/30/02 05:54:11 PM build) listening on [xl0] without a kernel (libpcap) filtering expression © 1998-2002 by Luca Deri | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
