If your router - which is the device that's generating the netflow - can filter what it's generating to a single interface do that. Otherwise...
-----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of RAR Sent: Tuesday, February 18, 2003 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [Ntop] netflow filter I was about to ask a similar question. We have 3 egress routers (in two locations) connected to 4 egress providers. In the best case, a packet will only hit one router. In the worst case, it will hit all three routers generating similar netflows in all three routers. Using other netflow tools (MHTG) we have been able to code rules that only "count" the netflow as it leaves the last router to the net, or enters the first router from the net. Any clues how to get this behavior with Ntop? To make an example, lets simplify to our two POPS (A and B) HostA ----(1) RTRA(2)-----------------------------(4)RTRB(5)-----HostB (3) (6) | | ProvidorA ProviderB To be more specific Traffic from HostA is counted at RTRA if it egress via provider A. If it egresses at RTRB, it is counted at RTRB Our rules always count traffic as it enters our network from the net, or when it leaves our network for the net Src Int -> Dst Int 1->3 Count 1->2 Don't count, It will be counted at RTRB 3->1 count 3->2 count 4->6 count 4->5 don't count It either came from Provider A and was counted above, or it is internal Traffic (hostA to HostB) 5->4 Dont Count it will be counted at RTRA if it leaves our network 6->4 Count >>> [EMAIL PROTECTED] 02/18/03 07:24PM >>> The code is in plugins/netflowPlugin.c. Look for netflowMainLoop() - you'll see it select and receive from the socket, then use dissectFlow() to update the various counters. Understand that the -B filter is a bpf filter, but since you're not using libpcap, there's a lot of code you're going to have to pull in. It might be a lot simpler - and 90% as useful - to just put a simple host match in, like rrd does. If you want to talk about a custom coding project, contact me off-list. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Greenwood Sent: Tuesday, February 18, 2003 5:27 PM To: [EMAIL PROTECTED] Subject: [Ntop] netflow filter I would like to use the -B filter expression option to filter incoming Netflow records - can I do this - will it work ?? In the alternative - where should I look in the .c code to hack a filter in ... rgds Eric Greenwood 6*ŠŠ*žŠ** ?žŠjjŠ ž _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop Bob Roswell [EMAIL PROTECTED] System Source 338 Clubhouse Road Hunt Valley, MD 21031 (410) 771-5544 ext 336 _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
