RE: [Ntop] Tracking Host(s)

Wed, 18 Jun 2003 14:19:00 -0700 

See >>s inline.

-----Burton


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Blake
Sent: Friday, June 13, 2003 11:15 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] Tracking Host(s)



Currently when I start NTOP I use the -m option to
specify the local subnet.  Is this the reason why I
only see local hosts in host activity? When I look in
host activity I only see local host(s) vs. all hosts.

>> No

>> -g | --track-local-hosts is the 'Track only local hosts' option.

>> However, a bad -m setting can cause ntop to see traffic on the wire as
remote-remote which is largely ignored except for the bare counting...  say
you have 192.168.0.0/22 traffic (i.e. 192.168.0.0...192.168.3.255) and tell
ntop -m 192.168.0.0/24.  Anything from, say 192.168.1.2 -> 192.168.3.12 is
remote-remote...


What I am trying to accomplish is to track host
activity over the past 12-24 hours. I change the
following in global-defines.h so that NTOP does not
purge the inactive hosts (which works fine);

from:
#define PARM_HOST_PURGE_INTERVAL            5*60

to:
#define PARM_HOST_PURGE_INTERVAL            1440*60

In order to track hosts I need all the hosts to be
listed under host activity ... this will give me the
times of host activity and then I can try to narrow my
search if Im looking for host activity during a
specific time.  For instance I might see in MRTG lots
of activity on a circuit at 1:30am the night before
and would like to determine who what when where ... if
all the hosts are listed in host activity in NTOP
during 1:30am I can narrow the search alittle.

>> Check into my 2.2 patch '282' (attached) which appears to fix the
automatic instant purge of hosts.  The problem with it, is that by keeping
more hosts around, it can substantially increase memory usage, which is why
it's an option I'm hesitant to add into 2.2.

>> Also, look at the purge constants, which are the ones that you SHOULD be
adjusting - changing the interval really doesn't do anything.

/*
 *  How long must a host be idle to be considered for purge?
 */
#define PARM_HOST_PURGE_MINIMUM_IDLE        10*60

/*
 *  How long must a session be idle to be considered for purge?
 */
#define PARM_SESSION_PURGE_MINIMUM_IDLE


<snip />

Attachment: BMS0282-sessionspurge.patch
Description: Binary data

Reply via email to