-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cetera, Tony
Sent: Thursday, October 30, 2003 11:08 AM
To: '[EMAIL PROTECTED]'
Subject: [Ntop] Ntop, netflow virtual interfaceUnderstood.
But that begs the question: If I do not have another physical interface, what virtual interface is ntop expecting for the netflow plug-in? Can a virtual interface be created that netflow will see as separate from eth0 for netflow collection?
Tony
----------------
Read what I said - there's NO WAY to tell
them apart at the libpcap level. So there's only one interface being
captured.What ntop does is to probe the :0 .. :7 interface to collect the addresses
for determination of 'local' vs. 'remote'.So, for example, mine:
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:03:47:B1:62:26
inet addr:192.168.2.36 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2062702 errors:0 dropped:0 overruns:0 frame:26
TX packets:1491840 errors:0 dropped:0 overruns:5 carrier:1
collisions:57783 txqueuelen:100
RX bytes:414548465 (395.3 Mb) TX bytes:284739308 (271.5 Mb)
Interrupt:5 Base address:0xf000eth0:0 Link encap:Ethernet HWaddr 00:03:47:B1:62:26
inet addr:192.168.1.36 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:5 Base address:0xf000
ntop will treat 192.168.2.0/24 and 192.168.1.0/24 as local. If it didn't do
this, it would still see the traffic on the interface, but the eth0:0
traffic would be considered remote.-----Burton
________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. For more information on a proactive email security
service working around the clock, around the globe, visit
http://www.messagelabs.com
________________________________________________________________________
Title: Ntop, netflow virtual interface
Whoa
Please
put pigs in the sty and horses in the barn.
When
you tell ntop to accept netFlow data, it CREATES a pseudo device at that time
and listens on the physical interface(s) for netFlow
packets.
That's
completely separate from the issue of telling ntop about it's physical
interfaces so it can classify traffic from them.
Although it's all farm related, as you would use -m to tell ntop about
local addresses from both physical and virtual (pseudo) devices. (Think of
the virtual interface address on the netFlow plugin as equivalent to ONE address
on the -m parameter).
-----Burton
- [Ntop] Ntop, netflow virtual interface Cetera, Tony
- RE: [Ntop] Ntop, netflow virtual interface Burton M. Strauss III
- [Ntop] Ntop, netflow virtual interface Cetera, Tony
- [Ntop] Ntop, netflow virtual interface Burton M. Strauss III
- [Ntop] Ntop, netflow virtual interface Cetera, Tony
