Y'all need to READ the back traffic on this list - it's been discussed. You are confused as to the difference between a TCP/IP 'protocol' such as FTP, which ntop can support via the -p option and and IP 'protocol' such as IPSec or GRE, which would require programmatic changes.
The only IP protocols ntop really understands are ICMP, TCP and UDP. There's some other, minimal support for some things - look at pbuf.c in processIpPkt(), but it's mostly of the 'strip the encapsulation' to see the enclosed IP packet form. Better study up on the OSI model and the TCP/IP and IP rfcs... it's ugly out there. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of aaron Sent: Friday, June 13, 2003 12:58 PM To: [EMAIL PROTECTED] Subject: RE: [Ntop] Customize NTOP Yes I am looking between the firewall and the internet router, so I am not worried about the encrypted traffic just that it is flowing. I know that AH and ESP use port 50 and 51 and so I have added them to the protocols.list file along with the standard ports the ntop normally uses. I was just hoping the maybe there was a way to identify packets based on protocol i.e.. GRE using protocol 47. Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Tremaine Sent: Friday, June 13, 2003 12:30 PM To: [EMAIL PROTECTED] Subject: [Ntop] Customize NTOP My bad I didn;t notice the IPsec part of your question. I'm not sure you can break that traffic out, unless you can use a tcp style filter to identify IPsec traffic. Anyone with more knowledge of IPsec headers? (I assume you're talking about client to server traffic and not just 1 IPsec gateway to other gateways, in which case you as long as the probe was behind the gateway the traffic would not be encrypted? ) Mike Tremaine [EMAIL PROTECTED] http://www.stellarcore.net ----- Original Message ----- From: "Dave Lugo" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 13, 2003 9:12 AM Subject: Re: [Ntop] Customize NTOP > I don't know that this will help - IPSEC, AFAIK, isn't a UDP or TCP > protocol. > > > On Fri, 13 Jun 2003, Mike Tremaine wrote: > > > Date: Fri, 13 Jun 2003 09:14:49 -0700 > > From: Mike Tremaine <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: Re: [Ntop] Customize NTOP > > > > -p | --protocols > > > > It is used to specify the TCP/UDP protocols that ntop will > > monitor. The > > format is <label>=<protocol list> [, <label>=<protocol list>], where label > > is used to symbolically identify the <protocol list>. The format of > > <protocol list> is <protocol>[|<protocol>], where <protocol> is > > either a valid protocol specified inside the /etc/services file or a > > numeric port range (e.g. 80, or 6000-6500). If the -p flag is > > omitted the following default value is used: > > > > FTP=ftp|ftp-data HTTP=http|www|https|3128 3128 is Squid, the > > HTTP cache DNS=name|domain Telnet=telnet|login > > NBios-IP=netbios-ns|netbios-dgm|netbios-ssn > > Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2 DHCP-BOOTP=67-68 > > SNMP=snmp|snmp-trap NNTP=nntp NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status > > X11=6000-6010 SSH=22 > > > > Peer-to-Peer Protocols ---------------------- Gnutella=6346|6347|6348 > > Kazaa=1214 WinMX=6699|7730 DirectConnect=0 Dummy port as this is a > > pure P2P > > protocol eDonkey=4661-4665 > > > > Instant Messenger ----------------- Messenger=1863|5000|5001|5190-5193 > > > > If the <protocol list> is very long you may store it in a file (for > > instance protocol.list). To do so, specify the file name instead of > > the <protocol list> on the command line. e.g. ntop -p protocol.list > > instead of > > ntop -p FTP=ftp|ftp-data,HTTP=http|www|https|3128 ... > > > > > > > > The MAN page is your friend..... > > > > > > > > > > Mike Tremaine > > [EMAIL PROTECTED] > > http://www.stellarcore.net > > ----- Original Message ----- > > From: "aaron" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, June 13, 2003 8:42 AM > > Subject: [Ntop] Customize NTOP > > > > > > > I am new to the use of NTOP and was wondering if there is a way to > > identify > > > some of the protocol's that are current listed as other. I have > > > IPSEC traffic on the network and would like to break out the > > > amount of traffic > > as > > > compared to unknown ports. > > > > > > Thanks, > > > Aaron > > > > > > _______________________________________________ > > > Ntop mailing list > > > [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ > > Ntop mailing list > > [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop > > > > -- > -------------------------------------------------------- > Dave Lugo [EMAIL PROTECTED] LC Unit #260 TINLC > Have you hugged your firewall today? No spam, thanks. > -------------------------------------------------------- > Are you the police? . . . . No ma'am, we're sysadmins. > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
