I fetched up some traffic with windump. Sorry for asking, but what did you mean with "and run the Mark One eye over them"? I guess that should be some tool showing the packets, but I don't know it...
I loaded the dump in ntop, restartet ntop some times, I get various IPs for the same MAC each time I start ntop. Perhaps there's something with our firewall which "confuses" ntop... The mac address belongs to our Microsoft ISA server. It is multihomed since it "publishes" some services. It's also the router for the DMZ. The IP adresses ntop associates with the MAC are from "published" services (smtp, http, ...) and DMZ hosts. Thanks, Thomas Pagel Senior Consultant Business Intelligence Software4You Planungssysteme GmbH Niederlassung Paderborn Hauptstra�e 35 33178 Borchen (Germany) tel.: +49 (5251) 54009-11 mob.: +49 (172) 8423035 fax.: +49 (5251) 54009-99 home: http://www.software4you.com 4PLAN� - The Art of Budgeting. Disclaimer: This email may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is prohibited. If you are not the intended recipient please contact the sender and delete all copies. -----Urspr�ngliche Nachricht----- Von: Burton M. Strauss III [mailto:[EMAIL PROTECTED] Gesendet: Montag, 31. M�rz 2003 19:45 An: [EMAIL PROTECTED] Betreff: RE: [Ntop] Wrong association IP <-> MAC Remember - it only takes one packet, not even an ack, for ntop to create a host record. If that's wrong, it will carry forward - you'll probably see the host tagged as 'Multihomed'. Host 1: IP 192.168.1.1 MAC 00:00:00:aa:aa:aa Host 3: IP 192.168.1.3 MAC 00:00:00:cc:cc:cc If somebody has the incorrect hosts table, dns, cached, whatever info that Host 1 is 192.168.1.3 and is on the same subnet, then it will send a packet where the Ethernet layer and the ip are nonsense. But because it's on the same wire, the ip is ignored: (Ethernet from:00:00:00:dd:dd:dd to:00:00:00:aa:aa:aa)(tcp s=192.168.1.4 d=192.168.1.3) ntop will read both out of the packet and create the association 192.168.1.3=00:00:00:aa:aa:aa Since it doesn't know better. Then when it sees (Ethernet from:00:00:00:ee:ee:ee to:00:00:00:cc:cc:cc)(tcp s=192.168.1.5 d=192.168.1.3) It will create the multihomed association... Best bet would be to capture some packets using a sniffer like tcpdump (which is available for windows, see http://windump.polito.it/) and run the Mark One eye over them. You can even feed the capture into ntop via the -r parameter. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Burton M. Strauss III Sent: Monday, March 31, 2003 9:00 AM To: [EMAIL PROTECTED] Subject: RE: [Ntop] Wrong association IP <-> MAC I would suspect a dns problem... Look at the data in info.html on dns - see where it's getting the resolution (sniffing vs. queries) and try to do your own nslookups... Also check your switches - some of them rewrite the monitor port data with their own MAC address, which confuses ntop - You could turn on --no-mac -- (make it IP only), but that won't fix a dns problem. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas Pagel Sent: Monday, March 31, 2003 8:45 AM To: [EMAIL PROTECTED] Subject: AW: [Ntop] Wrong association IP <-> MAC Sorry, my fault.... That's why I have an odd MAC for the Cisco... But all the other issues are not affected by this... In my example Host1 and Host3 are still mixed up... Thomas Pagel Senior Consultant Business Intelligence Software4You Planungssysteme GmbH Niederlassung Paderborn Hauptstra�e 35 33178 Borchen (Germany) tel.: +49 (5251) 54009-11 mob.: +49 (172) 8423035 fax.: +49 (5251) 54009-99 home: http://www.software4you.com 4PLAN� - The Art of Budgeting. Disclaimer: This email may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is prohibited. If you are not the intended recipient please contact the sender and delete all copies. -----Urspr�ngliche Nachricht----- Von: Burton M. Strauss III [mailto:[EMAIL PROTECTED] Gesendet: Montag, 31. M�rz 2003 15:58 An: [EMAIL PROTECTED] Betreff: RE: [Ntop] Wrong association IP <-> MAC That's right, isn't it? The 01: is the multicast bit and 01:00:0c:cc:cc:cc is listed in most lists as Cisco CDPD/VTP... It's one of those odd, pre-IANA pre-IEEE assignments, where companies picked what they wanted and there weren't enough in the market to cause problems, but not all of them were codified later on. Make building the specialMac.txt file a brass plated b*tch. STFW... http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/e _trunk.htm and lots of others -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas Pagel Sent: Monday, March 31, 2003 5:04 AM To: [EMAIL PROTECTED] Subject: AW: [Ntop] Wrong association IP <-> MAC correction: Host2 is only listed as "Cisco CDPD/VTP" without any IP Thomas Pagel Senior Consultant Business Intelligence Software4You Planungssysteme GmbH Niederlassung Paderborn Hauptstra�e 35 33178 Borchen (Germany) tel.: +49 (5251) 54009-11 mob.: +49 (172) 8423035 fax.: +49 (5251) 54009-99 home: http://www.software4you.com 4PLAN� - The Art of Budgeting. Disclaimer: This email may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is prohibited. If you are not the intended recipient please contact the sender and delete all copies. -----Urspr�ngliche Nachricht----- Von: Thomas Pagel Gesendet: Montag, 31. M�rz 2003 12:54 An: [EMAIL PROTECTED] Betreff: [Ntop] Wrong association IP <-> MAC Hi, I'm running ntop Version 2.1.90 on Windows 2000. Looking at statistics/hosts I find some hosts which are listed incorrectly (or at least I don't understand that....) Host1: Microsoft ISA Server Host2: Our Cisco Internet router Host3: Windows 2000 Server The IP of Host3 has the MAC Address of Host1 and all the Service-Icons of Host1 The IP of Host3 is there a second time with the MAC Address of Host2 and the Router Service-Icon The IP of Host2 has the MAC Address of 01:00:0C:CC:CC:CC, no idea where this is comming from The IP of Host1 isn't listed at all I really don't understand that... Thanks, Thomas Pagel Senior Consultant Business Intelligence Software4You Planungssysteme GmbH Niederlassung Paderborn Hauptstra�e 35 33178 Borchen (Germany) tel.: +49 (5251) 54009-11 mob.: +49 (172) 8423035 fax.: +49 (5251) 54009-99 home: http://www.software4you.com 4PLAN� - The Art of Budgeting. Disclaimer: This email may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is prohibited. If you are not the intended recipient please contact the sender and delete all copies. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
