First off, if you read all the stuff in the back traffic
(http://article.gmane.org/gmane.linux.ntop.general/2184), you'll see that
ntop does NOT resolve NetBIOS - it only uses them as a last resort. Nor
does ntop use /etc/hosts UNLESS the underlying system resolver does.
Secondly, I'm pretty sure ntop handles what it sees correctly. If there's a
problem, it's 99% of the time in the configuration of the system, that is
how it resolves names (man resolver on some systems).
Make sure, that if you have a switched environment where you're mirroring
traffic to check the MAC addresses. Many switches use their own MAC
addresses when they echo the packets out the monitor/mirror/span port to
avoid routing loops. If so, you'll need to use the -o | --no-mac option so
ntop doesn't depend on the MAC addresses.
Those dns #s aren't outlandish - a fair amount of packets sniffed, probably
mostly being requests and reverse lookups... (note that if you look at
textinfo.html, there's some additional data on the sniffs...), e.g.:
DNS Packets sniffed.....40454
less 'requests'.....20795
less 'failed'.....6521
less 'reverse dns' (in-addr.arpa).....2072
DNS Packets processed.....11066
Stored in cache (includes aliases).....20658
Processed is computed to be the # of real responses seen:
if(snprintf(buf, sizeof(buf), "%d", myGlobals.dnsSniffCount
- myGlobals.dnsSniffRequestCount
- myGlobals.dnsSniffFailedCount
- myGlobals.dnsSniffARPACount) < 0)
BufferTooShort();
printFeatureConfigInfo(textPrintFlag, "DNS Packets processed", buf);
You can actually pull the values (well, there's some garbage in there) from
the cache via:
$ strings /usr/share/ntop/dnsCache.db | sort | grep '\.' | uniq
If you look at all the data in textinfo.html, you'll see the progression
through the stages...
Queued - dequeueAddress():
Total Queued.....2313
Not queued (duplicate).....32
Maximum Queued.....1069
Current Queue.....0
Resolved - resolveAddress():
Addresses to resolve.....2313
....less 'Error: No cache database'.....0
....less 'Found in ntop cache'.....0
Gives: # gethost (DNS lookup) calls.....2313
DNS lookup calls:
DNS resolution attempts.....2313
....Success: Resolved.....309
....Failed.....2004
........HOST_NOT_FOUND.....2000
........NO_DATA.....0
........NO_RECOVERY.....0
........TRY_AGAIN (don't store).....4
........Other error (don't store).....0
DNS lookups stored in cache.....2309
Host addresses kept numeric.....2004
The Failed #s are the most interesting, because they explain what ntop was
told when doing the resolution. TRY AGAIN is legit, it just means the dns
was too busy or something. ntop doesn't bother with an immediate retry - it
figures that if it sees another packet, it will try again later...
Without a dns server, etc. you're depending upon the system resolver, which
is highly OS and version dependent - i.e. I can't really say what it's going
to do. It's also opaque ... you can't run nslookup to see the data the same
way, as that's a dns interface, vs. the system resolver.
In your hosts file, did you put the host name for both 127.0.0.1 and the
assigned IP? I wonder if the resolver doesn't like that, or if it requires
it??? What you need is a piece of software that does gethostbyname and
prints the results. Off hand, I can't think of one.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Filippo Stefanelli
Sent: Wednesday, May 28, 2003 9:08 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] More details about DNS resolution problem.
Hi all,
thanks for the answer Burton. I have looked in the back traffic of this
mailing list and in my Info.html.
Now what I can say is that ntop resolvs names mostly via netbios but
not via dns.
I think this numbers confirm my idea:
DNS sniffed DNS Packets sniffed 22068
DNS Packets processed 1214
Stored in cache (includes aliases) 1790
Queued Total Queued 2261
Not queued (duplicate) 0
Maximum Queued 16
Current Queue 0
DNS lookup calls DNS resolution attempts 2261
....Success: Resolved 91
....Failed 2170
DNS lookups stored in cache 2260
Host addresses kept numeric 2170
Trying to know what was going on, I set up a small systems with two
linux box linked via a cross cable. No dns, all info in /etc/hosts.
On box 1 ntop show Ip address for box1 and name for box2.
On box 2 ntop show Ip address for box2 and name for box1.
I don't know what to do!!!
Any idea?
Bye,
Filippo.
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
