Hi,
I've done more tests and I found a possible bug:
Running in daemon mode makes ntop not working correctly:
The command line is:
Started as....ntop -L --trace-level 5 @/usr/local/etc/ntop/ntop.conf
Resolved to....ntop
-L
--trace-level
5
--user
ntop
--db-file-path
/var/db/ntop
--interface
none
--http-server
3000
--local-subnets
172.25.128.0/24,172.25.129.0/24,172.25.130.0/25,155.132.115.0/24
--reuse-rrd-graphics
If I add the -d switch, I get no traffic from my netflow device.
Otherwise, starting ntop in foreground, everything is like you said.
Still, from ntop configuration web page:
Local Networks.....172.25.128.0/255.255.255.0 [all devices]
172.25.129.0/255.255.255.0 [all devices]
172.25.130.0/255.255.255.128 [all devices]
155.132.115.0/255.255.255.0 [all devices]
0.0.0.0/255.255.255.0 [device (null)]
172.25.128.1/255.255.255.0 [device NetFlow-device]
So it takes the Netflow IP address (this is the network IP address) and
use it as a network address.
So I'm still unsure if it is the interface IP address, or his local
network address in that input box. But the functionality is unchanged.
--
______V______ Ciprian Badescu
On Thu, 3 Jul 2003, Burton M. Strauss III wrote:
> Date: Thu, 3 Jul 2003 10:27:18 -0500
> From: Burton M. Strauss III <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: RE: [Ntop] Netflow Interface Configuration
>
> ntop will not accept netFlow traffic on an un-numbered interface.
>
> SO you have just ONE router with many interfaces, which is also the netflow
> collection device??
>
> Like this:
>
> -----network---------<XXXXXXXX>-----------------(192.168.1.0/24)
> < router >
> <+netFlow>
> -----network---------<XXXXXXXX>-----------------(192.168.2.0/24 AND
> 192.168.3.0/24)
> | 192.168.2.39
> <ntop>
>
> Then it should successfully be sending netFlow packets for all the traffic
> it sees (beware of switches in the physical layout) to ntop.
>
> -i none just prevents ntop from bother with non-netFlow packets on the wire.
>
> The value used for "Local Network IP Address/Mask" and -m should be totally
> interchangeable, as long as the full set is given to ntop.
>
> If you don't give a value for Local Network IP Address/Mask, there's some
> code in there:
>
> if((fetchPrefsValue("netFlow.ifNetMask", value, sizeof(value)) == -1)
> ||(sscanf(value, "%d.%d.%d.%d%%2F%d.%d.%d.%d", &a, &b, &c, &d, &a1,
> &b1, &c1, &d1) != 8)) {
> storePrefsValue("netFlow.ifNetMask", "192.168.0.0/255.255.255.0");
> myGlobals.netFlowIfAddress.s_addr = 0xC0A80000;
> myGlobals.netFlowIfMask.s_addr = 0xFFFFFF00;
> } else {
> myGlobals.netFlowIfAddress.s_addr =(a << 24) +(b << 16) +(c << 8) + d;
> myGlobals.netFlowIfMask.s_addr =(a1 << 24) +(b1 << 16) +(c1 << 8) +
> d1;
> }
>
> which would set it to 192.168.0.0/16 (the full RFC 1918 space). All that
> should do is tag more than you expect as local.
>
> Run ntop with --trace-level 5 and look at the messages regarding handling
> of -m. Look at the reports and see what's indicated as the addresses for
> the interfaces in the globals report.
>
>
>
> -----Burton
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Ciprian Badescu
> Sent: Thursday, July 03, 2003 9:05 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [Ntop] Netflow Interface Configuration
>
>
> Hi,
>
> I have other results.
>
> > 2. run ntop with -i none so that it's NOT picking up any traffic, just
> using
> > netflow for all three networks. In that case, you use -m
> > 192.168.1.0/24,192.168.2.0/24,192.168.3.0/24 and don't give a Local
> Network
> > IP Address/Mask in the plugin.
> >
>
>
> ntop host
> |
> |
> | net1 net2
> router --------------------
> (netflow net3
> device) ---------------------
> |
> |
> | internet
>
> This is my case.
>
> And from my try and see I have the following results:
>
> - if I start ntop with -i none, he won't pick up any netflow traffic
>
> - If I have the real address for my netflow interface (the interface from
> net1 network), all adresses from net1 are counted as remote, even the
> network is in list of local networks (using -m switch)
>
> - If I put the network address for netflow interface, everything works
> great :)
>
>
>
>
> > -----Burton
> >
> > US-based commercial support for ntop:
> > http://www.ntopsupport.com
> > mailto:[EMAIL PROTECTED]
> >
> > Search the ntop mailing lists at gmane:
> > http://search.gmane.org
> >
> > HowTo Ask for Help at
> > http://snapshot.ntop.org/faq.php#83
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> > Ciprian Badescu
> > Sent: Thursday, July 03, 2003 12:26 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: [Ntop] Netflow Interface Configuration
> >
> >
> > Hi,
> >
> > I've something to add. I'm a newbie in using ntop, so if I say something
> > to stupid, don't shoot me ;)
> >
> > >
> > > Virtual NetFlow Interface
> > > Network Address Local Network IP Address/Mask:
> > > Format: digit.digit.digit.digit/digit.digit.digit.digit
> > > This does not(yet) accept CIDR /xx notation)
> > >
> > > This is the address used by ntop for the pseudo-interface it's receiving
> > the
> > > netflow packets on. So it acts just like the IP address of a physical
> > > interface, setting local/pseudo-local etc. If you have a single point
> > > source sending you flows, this is all you need. Otherwise, you'll need
> to
> > > use -m to tell ntop which address ranges to treat as local.
> >
> > I think that this isn't the local IP address, but the local NETWORK
> > address.
> >
> > If I have here a local IP address, there is no way to make NTOP to
> > reconize the local network as local network (even using -m switch)
> >
> > but
> >
> > if I put here local NETWORK address, everithing works great. I don't know
> > if is a bug, or this is how it is expected work.
> >
> > The definition: "Local Network IP Address" isn't so clear for me.
> >
> > --
> > Ciprian Badescu
> >
> >
> >
> >
> >
> >
> >
> > >
> > > -----Burton
> > >
> > > US-based commercial support for ntop:
> > > http://www.ntopsupport.com
> > > mailto:[EMAIL PROTECTED]
> > >
> > > Search the ntop mailing lists at gmane:
> > > http://search.gmane.org
> > >
> > > HowTo Ask for Help at
> > > http://snapshot.ntop.org/faq.php#83
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott
> > > Vivian
> > > Sent: Wednesday, July 02, 2003 11:19 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: [Ntop] Netflow Interface Configuration
> > >
> > >
> > > What should the Netflow Interface Configuration (IP address) be set to -
> a
> > > loopback address, the same as my physical ethernet address, or something
> > > "made up" like what was there after I turned on the netflow plugin
> > > (192.168.0.0/255.255.255.0)? Does it matter?
> > >
> > > I'm running ntop v2.2 on RH 9.
> > >
> > > Thank you,
> > >
> > > Scott Vivian
> > > M&A Technologies
> > >
>
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
