ntop will not accept netFlow traffic on an un-numbered interface.
SO you have just ONE router with many interfaces, which is also the netflow
collection device??
Like this:
-----network---------<XXXXXXXX>-----------------(192.168.1.0/24)
< router >
<+netFlow>
-----network---------<XXXXXXXX>-----------------(192.168.2.0/24 AND
192.168.3.0/24)
| 192.168.2.39
<ntop>
Then it should successfully be sending netFlow packets for all the traffic
it sees (beware of switches in the physical layout) to ntop.
-i none just prevents ntop from bother with non-netFlow packets on the wire.
The value used for "Local Network IP Address/Mask" and -m should be totally
interchangeable, as long as the full set is given to ntop.
If you don't give a value for Local Network IP Address/Mask, there's some
code in there:
if((fetchPrefsValue("netFlow.ifNetMask", value, sizeof(value)) == -1)
||(sscanf(value, "%d.%d.%d.%d%%2F%d.%d.%d.%d", &a, &b, &c, &d, &a1,
&b1, &c1, &d1) != 8)) {
storePrefsValue("netFlow.ifNetMask", "192.168.0.0/255.255.255.0");
myGlobals.netFlowIfAddress.s_addr = 0xC0A80000;
myGlobals.netFlowIfMask.s_addr = 0xFFFFFF00;
} else {
myGlobals.netFlowIfAddress.s_addr =(a << 24) +(b << 16) +(c << 8) + d;
myGlobals.netFlowIfMask.s_addr =(a1 << 24) +(b1 << 16) +(c1 << 8) +
d1;
}
which would set it to 192.168.0.0/16 (the full RFC 1918 space). All that
should do is tag more than you expect as local.
Run ntop with --trace-level 5 and look at the messages regarding handling
of -m. Look at the reports and see what's indicated as the addresses for
the interfaces in the globals report.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Ciprian Badescu
Sent: Thursday, July 03, 2003 9:05 AM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Netflow Interface Configuration
Hi,
I have other results.
> 2. run ntop with -i none so that it's NOT picking up any traffic, just
using
> netflow for all three networks. In that case, you use -m
> 192.168.1.0/24,192.168.2.0/24,192.168.3.0/24 and don't give a Local
Network
> IP Address/Mask in the plugin.
>
ntop host
|
|
| net1 net2
router --------------------
(netflow net3
device) ---------------------
|
|
| internet
This is my case.
And from my try and see I have the following results:
- if I start ntop with -i none, he won't pick up any netflow traffic
- If I have the real address for my netflow interface (the interface from
net1 network), all adresses from net1 are counted as remote, even the
network is in list of local networks (using -m switch)
- If I put the network address for netflow interface, everything works
great :)
> -----Burton
>
> US-based commercial support for ntop:
> http://www.ntopsupport.com
> mailto:[EMAIL PROTECTED]
>
> Search the ntop mailing lists at gmane:
> http://search.gmane.org
>
> HowTo Ask for Help at
> http://snapshot.ntop.org/faq.php#83
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Ciprian Badescu
> Sent: Thursday, July 03, 2003 12:26 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Ntop] Netflow Interface Configuration
>
>
> Hi,
>
> I've something to add. I'm a newbie in using ntop, so if I say something
> to stupid, don't shoot me ;)
>
> >
> > Virtual NetFlow Interface
> > Network Address Local Network IP Address/Mask:
> > Format: digit.digit.digit.digit/digit.digit.digit.digit
> > This does not(yet) accept CIDR /xx notation)
> >
> > This is the address used by ntop for the pseudo-interface it's receiving
> the
> > netflow packets on. So it acts just like the IP address of a physical
> > interface, setting local/pseudo-local etc. If you have a single point
> > source sending you flows, this is all you need. Otherwise, you'll need
to
> > use -m to tell ntop which address ranges to treat as local.
>
> I think that this isn't the local IP address, but the local NETWORK
> address.
>
> If I have here a local IP address, there is no way to make NTOP to
> reconize the local network as local network (even using -m switch)
>
> but
>
> if I put here local NETWORK address, everithing works great. I don't know
> if is a bug, or this is how it is expected work.
>
> The definition: "Local Network IP Address" isn't so clear for me.
>
> --
> Ciprian Badescu
>
>
>
>
>
>
>
> >
> > -----Burton
> >
> > US-based commercial support for ntop:
> > http://www.ntopsupport.com
> > mailto:[EMAIL PROTECTED]
> >
> > Search the ntop mailing lists at gmane:
> > http://search.gmane.org
> >
> > HowTo Ask for Help at
> > http://snapshot.ntop.org/faq.php#83
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott
> > Vivian
> > Sent: Wednesday, July 02, 2003 11:19 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Ntop] Netflow Interface Configuration
> >
> >
> > What should the Netflow Interface Configuration (IP address) be set to -
a
> > loopback address, the same as my physical ethernet address, or something
> > "made up" like what was there after I turned on the netflow plugin
> > (192.168.0.0/255.255.255.0)? Does it matter?
> >
> > I'm running ntop v2.2 on RH 9.
> >
> > Thank you,
> >
> > Scott Vivian
> > M&A Technologies
> >
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
