Understood.
But that begs the question: If I do not have another physical interface, what virtual interface is ntop expecting for the netflow plug-in? Can a virtual interface be created that netflow will see as separate from eth0 for netflow collection?
Tony
----------------
Read what I said - there's NO WAY to tell
them apart at the libpcap level. So there's only one interface being
captured.
What ntop does is to probe the :0 .. :7 interface to collect the addresses
for determination of 'local' vs. 'remote'.
So, for example, mine:
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:03:47:B1:62:26
inet addr:192.168.2.36 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2062702 errors:0 dropped:0 overruns:0 frame:26
TX packets:1491840 errors:0 dropped:0 overruns:5 carrier:1
collisions:57783 txqueuelen:100
RX bytes:414548465 (395.3 Mb) TX bytes:284739308 (271.5 Mb)
Interrupt:5 Base address:0xf000
eth0:0 Link encap:Ethernet HWaddr 00:03:47:B1:62:26
inet addr:192.168.1.36 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0xf000
ntop will treat 192.168.2.0/24 and 192.168.1.0/24 as local. If it didn't do
this, it would still see the traffic on the interface, but the eth0:0
traffic would be considered remote.
-----Burton
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
