Yes I am looking between the firewall and the internet router, so I am not worried about the encrypted traffic just that it is flowing. I know that AH and ESP use port 50 and 51 and so I have added them to the protocols.list file along with the standard ports the ntop normally uses. I was just hoping the maybe there was a way to identify packets based on protocol i.e.. GRE using protocol 47.
Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Tremaine Sent: Friday, June 13, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: [Ntop] Customize NTOP My bad I didn;t notice the IPsec part of your question. I'm not sure you can break that traffic out, unless you can use a tcp style filter to identify IPsec traffic. Anyone with more knowledge of IPsec headers? (I assume you're talking about client to server traffic and not just 1 IPsec gateway to other gateways, in which case you as long as the probe was behind the gateway the traffic would not be encrypted? ) Mike Tremaine [EMAIL PROTECTED] http://www.stellarcore.net ----- Original Message ----- From: "Dave Lugo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 13, 2003 9:12 AM Subject: Re: [Ntop] Customize NTOP > I don't know that this will help - IPSEC, AFAIK, isn't a UDP or TCP > protocol. > > > On Fri, 13 Jun 2003, Mike Tremaine wrote: > > > Date: Fri, 13 Jun 2003 09:14:49 -0700 > > From: Mike Tremaine <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Re: [Ntop] Customize NTOP > > > > -p | --protocols > > > > It is used to specify the TCP/UDP protocols that ntop will > > monitor. The > > format is <label>=<protocol list> [, <label>=<protocol list>], where label > > is used to symbolically identify the <protocol list>. The format of > > <protocol list> is <protocol>[|<protocol>], where <protocol> is > > either a valid protocol specified inside the /etc/services file or a > > numeric port range (e.g. 80, or 6000-6500). If the -p flag is > > omitted the following default value is used: > > > > FTP=ftp|ftp-data HTTP=http|www|https|3128 3128 is Squid, the > > HTTP cache DNS=name|domain Telnet=telnet|login > > NBios-IP=netbios-ns|netbios-dgm|netbios-ssn > > Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2 DHCP-BOOTP=67-68 > > SNMP=snmp|snmp-trap NNTP=nntp NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status > > X11=6000-6010 SSH=22 > > > > Peer-to-Peer Protocols ---------------------- Gnutella=6346|6347|6348 > > Kazaa=1214 WinMX=6699|7730 DirectConnect=0 Dummy port as this is a > > pure P2P > > protocol eDonkey=4661-4665 > > > > Instant Messenger ----------------- Messenger=1863|5000|5001|5190-5193 > > > > If the <protocol list> is very long you may store it in a file (for > > instance protocol.list). To do so, specify the file name instead of > > the <protocol list> on the command line. e.g. ntop -p protocol.list > > instead of > > ntop -p FTP=ftp|ftp-data,HTTP=http|www|https|3128 ... > > > > > > > > The MAN page is your friend..... > > > > > > > > > > Mike Tremaine > > [EMAIL PROTECTED] > > http://www.stellarcore.net > > ----- Original Message ----- > > From: "aaron" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, June 13, 2003 8:42 AM > > Subject: [Ntop] Customize NTOP > > > > > > > I am new to the use of NTOP and was wondering if there is a way to > > identify > > > some of the protocol's that are current listed as other. I have > > > IPSEC traffic on the network and would like to break out the > > > amount of traffic > > as > > > compared to unknown ports. > > > > > > Thanks, > > > Aaron > > > > > > _______________________________________________ > > > Ntop mailing list > > > [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > > Ntop mailing list > > [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop > > > > -- > -------------------------------------------------------- > Dave Lugo [EMAIL PROTECTED] LC Unit #260 TINLC > Have you hugged your firewall today? No spam, thanks. > -------------------------------------------------------- > Are you the police? . . . . No ma'am, we're sysadmins. > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
