Read the words - it's the address for the pseudo-interface. If you properly
ignore the physical transport of the flows, the pseudo-interface is located
at the router sending the flows. Got that - it's as if ntop was actually
running ON the router or switch sending the netFlow packets.
Take a simple example:
-----network--------------------------(192.168.1.0/24)
| 192.168.1.1
<router+netFlow>
| 192.168.2.1
-----network--------------------------(192.168.2.0/24 AND 192.168.3.0/24)
| 192.168.2.39
<ntop>
If you run ntop in native mode, it sees only the traffic on 192.168.2.0/24.
That's the address read from eth0 and used for local (pseudo-local) vs.
remote traffic. Hosts in the 192.168.3.0/24 network are seen as remote.
So, you run ntop with -m 192.168.3.0/24 to tell it to treat BOTH networks
(...2.0/24 and ...3.0/24) as local.
If you run ntop in netFlow mode, you have two choices:
1. run ntop as above (-i eth0 -m 192.168.3.0/24) with netflow enabled ONLY
for the 192.168.1.0/24 network (or use the white/black list to control what
flows are processed). In this case you use the Local Network IP
Address/Mask of 192.168.1.0/255.255.255.0 set in the plugin so that that
traffic (in addition to .2.0/24 and .3.0/24) is local.
2. run ntop with -i none so that it's NOT picking up any traffic, just using
netflow for all three networks. In that case, you use -m
192.168.1.0/24,192.168.2.0/24,192.168.3.0/24 and don't give a Local Network
IP Address/Mask in the plugin.
The point of this? Case #2 can be run with ntop on a fourth, entirely
separate network... reporting as if it was run on the router!
-----network--------------------------(192.168.1.0/24)
| 192.168.1.1
<router+netFlow>
| 192.168.2.1
-----network--------------------------(192.168.2.0/24 AND 192.168.3.0/24)
| 192.168.2.254
<firewall>
| 192.168.4.254
-----network--------------------------(192.168.4.0/24)
| 192.168.4.39
<ntop>
If you program the firewall to pass ONLY the UDP netflow packets (say
...1.0/24. ...2.0/24 and ...3.0/24 are your DMZ and ...4.0/24 is your
private internal LAN)... you've now got an ntop instance showing the traffic
in DMZ without exposing the instance IN the DMZ!
-----Burton
US-based commercial support for ntop:
http://www.ntopsupport.com
mailto:[EMAIL PROTECTED]
Search the ntop mailing lists at gmane:
http://search.gmane.org
HowTo Ask for Help at
http://snapshot.ntop.org/faq.php#83
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Ciprian Badescu
Sent: Thursday, July 03, 2003 12:26 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Netflow Interface Configuration
Hi,
I've something to add. I'm a newbie in using ntop, so if I say something
to stupid, don't shoot me ;)
>
> Virtual NetFlow Interface
> Network Address Local Network IP Address/Mask:
> Format: digit.digit.digit.digit/digit.digit.digit.digit
> This does not(yet) accept CIDR /xx notation)
>
> This is the address used by ntop for the pseudo-interface it's receiving
the
> netflow packets on. So it acts just like the IP address of a physical
> interface, setting local/pseudo-local etc. If you have a single point
> source sending you flows, this is all you need. Otherwise, you'll need to
> use -m to tell ntop which address ranges to treat as local.
I think that this isn't the local IP address, but the local NETWORK
address.
If I have here a local IP address, there is no way to make NTOP to
reconize the local network as local network (even using -m switch)
but
if I put here local NETWORK address, everithing works great. I don't know
if is a bug, or this is how it is expected work.
The definition: "Local Network IP Address" isn't so clear for me.
--
Ciprian Badescu
>
> -----Burton
>
> US-based commercial support for ntop:
> http://www.ntopsupport.com
> mailto:[EMAIL PROTECTED]
>
> Search the ntop mailing lists at gmane:
> http://search.gmane.org
>
> HowTo Ask for Help at
> http://snapshot.ntop.org/faq.php#83
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott
> Vivian
> Sent: Wednesday, July 02, 2003 11:19 AM
> To: [EMAIL PROTECTED]
> Subject: [Ntop] Netflow Interface Configuration
>
>
> What should the Netflow Interface Configuration (IP address) be set to - a
> loopback address, the same as my physical ethernet address, or something
> "made up" like what was there after I turned on the netflow plugin
> (192.168.0.0/255.255.255.0)? Does it matter?
>
> I'm running ntop v2.2 on RH 9.
>
> Thank you,
>
> Scott Vivian
> M&A Technologies
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
