There's NO WAY to accurately classify traffic if all you have is a packet
(remember, ntop is NOT stateful).
All ntop sees as a packet, say this:
15:00:57.695247 zebra.3259 > tigger.ssh: . ack 3128 win 63776 (DF)
or
15:00:57.695347 tigger.ssh > zebra.3259: P 3256:3384(128) ack 1 win 8576
(DF) [tos 0x10]
Those are easy - the ssh stuff is a nice low port #, 22, and the 3259 port
isn't assigned to anything in /etc/services.
How about this?
15:02:22.759103 tigger.3000 > zebra.3273: R 0:0(0) ack 3320224739 win 0 (DF)
BUZZ -- sorry, wrong answer. You 'know' 3000 is ntop's web server, but
that's external knowledge. port 3000 isn't in /etc/services.
15:09:04.605378 tigger.1865 > pooh.3000: . ack 1 win 5840 <nop,nop,timestamp
275777198 54403048> (DF)
ntop uses a reasonable algorithm, but one that may give anomalous results -
given you have outside knowledge - S'be'it... Check the code:
/* Handle UDP traffic like TCP, above -
That is: if we know about the lower# port, even if it's the
destination,
classify the traffic that way.
(BMS 12-2001)
*/
if (dport < sport) {
if (handleIP(dport, srcHost, dstHost, length, 0, 0,
actualDeviceId) == -1)
handleIP(sport, srcHost, dstHost, length, 0, 0, actualDeviceId);
} else {
if (handleIP(sport, srcHost, dstHost, length, 0, 0,
actualDeviceId) == -1)
handleIP(dport, srcHost, dstHost, length, 0, 0, actualDeviceId);
}
For protocols that use nice #s, that is the assigned port is < 1024 and the
randomly choosen port is >= 1024 this works fine. For protocols that use
numbers >= 1024, well, it can fail.
Live with it.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Andrew White
Sent: Thursday, February 20, 2003 2:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] add IP protocol definitions
So even if the source port is known, it's categorized as other ? i.e.
return flow of ssh session , while initiating flow of ssh is recorded as
ssh ?
Any answer to adding gre and esp ?
Tks
/Andrew
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Blake
Sent: 20 February 2003 17:47
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] add IP protocol definitions
First, you do realize source ports are random and will
be an "other"? ... you will always have other
(destination is the only thing you will be able to add
to you protocol list). If you feel there are some
additional destination ports you are missing then use
a sniffer to collect that information. You should be
able to leave a sniffer on the network for a day .. or
week (whatever) to track common destination ports.
That may reduce your other but you will always have
other. You could run Ethereal on the same server
running your NTOP if you are spanning a port.
--Blake
--- Andrew White <[EMAIL PROTECTED]> wrote:
> Thanks, worked a treat --- nearly,
>
> Still getting a lot of others, doing a show ip cache
> flow on the router,
> every flow is defined in the protocol list.
>
> Is there a 'simple' way to get ntop to tell me the
> ports that are making
> up other, so I can define them ?
>
> Also, is it possible to define additional ip
> protocols like esp and gre
> ?
>
> Tks
>
> /Andrew
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of
> Burton M. Strauss III
> Sent: 19 February 2003 23:06
> To: [EMAIL PROTECTED]
> Subject: RE: [Ntop] add IP protocol definitions
>
> Read the docs/FAQ and the man page...
>
> -p <list> | --protocols <list>
> List of IP protocols
> to monitor (see man
> page)
>
> -----Burton
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> Andrew White
> Sent: Wednesday, February 19, 2003 2:47 PM
> To: [EMAIL PROTECTED]
> Subject: [Ntop] add IP protocol definitions
>
>
> Hi,
>
> Anyone got a mini howto for adding protocol
> definitions to ntop ?
>
> Want to get the 'other' information reduced down by
> adding known
> protocols that we use, like lotus notes etc.
>
> Tks
>
> /Andrew
>
>
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
