Thanks for your help. Will this modification change the behavior of the LastSeen or icmpWatch plugins?
|-----Original Message----- |From: Burton M. Strauss III [mailto:[EMAIL PROTECTED] |Sent: Wednesday, January 21, 2004 20:29 |To: [EMAIL PROTECTED] |Subject: RE: [Ntop] mac address associated with incorrect host | | |ntop is seeing the 1st packet with the IP address of the |remote site and the |MAC of the firewall - which is after all how it's being |injected into the |LAN - and making that association. Then all other packets |with that MAC are |assocated with the single IP that ntop 1st saw. It's probably |flaged the |host with the multihomed risk flag, too. | |Assuming that the firewall/IPSec combo is rewriting the |packets as if they |ORIGINATE on the IPSec gateway, that is with it's MAC address, |then your |only choice is -o - that's EXACTLY what it's for. Read the entries in |docs/FAQ on this subject. | | |-----Burton | |> -----Original Message----- |> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] |Behalf Of Kurt |> Buff |> Sent: Wednesday, January 21, 2004 9:09 PM |> To: '[EMAIL PROTECTED]' |> Subject: [Ntop] mac address associated with incorrect host |> |> |> All, |> |> Perhaps I'm dim, but I think I'm missing something. I've |read the man page |> for ntop, and can't seem to figure this out - I don't think |that the -o |> option is correct, but I'm willing to listen to an |alternative opinion. |> |> I am very interested in tracking the remote sites' traffic, |and the local |> traffic, but I've found that ntop doesn't do well on our |network with the |> volume of Internet traffic, so I'm using --track-local-hosts |to keep the |> excess traffic from being logged, and using --local-subnet |to tell ntop to |> keep track of the foreign offices who are attached to us via |our IPSec |> tunnels. |> |> I've got a host at 192.168.61.8 (in AU) that seems to have |had attached to |> it the MAC address for our firewall locally (in the US, and |the firewall's |> address is 192.168.6.9), and ntop is reporting all traffic |against the MAC |> address of the firewall as coming from the remote host. The ntop |> host is on |> a hub with the firewall, so it's listening to all of the traffic |> transiting |> the firewall. |> |> Is there any way I can separate out the traffic? Does this |require the use |> of the -o option? |> |> ntop.conf, minus the comments, is below my .sig |> |> |> Kurt Buff |> Sr. Network Administrator |> Zetron, Inc. |> 425.820.6363 x463 |> [EMAIL PROTECTED] |> PO Box 97004 |> Redmond, WA 98073 |> |> ----------ntop.conf---------- |> --user ntop |> --db-file-path /home/ntop/db/ntop |> --interface xl0 |> --use-syslog |> --track-local-hosts |> --http-server 3000 |> --local-subnet |> 192.168.0.0/20,192.168.16.0/24,192.168.17.0/24,192.168.24.0/24,192 |> .168.38.0/ |> 24,192.168.61.0/24,192.168.111.0/24 |> --reuse-rrd-graphics |> --daemon |> ----------ntop.conf---------- |> |> |> |> |> _______________________________________________ |> Ntop mailing list |> [EMAIL PROTECTED] |> http://listgateway.unipi.it/mailman/listinfo/ntop |> | |_______________________________________________ |Ntop mailing list |[EMAIL PROTECTED] |http://listgateway.unipi.it/mailman/listinfo/ntop | _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
