In the cvs version, you can click on the underlined comments and it will
take you to ntophelp.html which describes all the flags. If you're running
an old version, you might want to checkout just that page...
WRT to gateway, the flag is FLAG_GATEWAY_HOST ... grep for it in the code,
you'll find this (I'll comment it):
static void checkNetworkRouter(HostTraffic *srcHost,
HostTraffic *dstHost,
u_char *ether_dst, int actualDeviceId) {
if((subnetLocalHost(srcHost) && (!subnetLocalHost(dstHost))
// Traffic is LOCAL -> not LOCAL (i.e. REMOTE)
// (remember the definition of pseudo-local - ntop's interface
// IPs plus anything you tell it is local via -m)
&& (!broadcastHost(dstHost)) && (!multicastHost(dstHost)))
// and destination is not BROADCAST or MULTICAST
|| (subnetLocalHost(dstHost) && (!subnetLocalHost(srcHost))
// or REMOTE -> LOCAL
&& (!broadcastHost(srcHost)) && (!multicastHost(srcHost)))) {
// and source is not BROADCAST or MULTICAST
// Look it up in the tables...
HostTraffic *router = lookupHost(NULL, ether_dst, 0, 0, actualDeviceId);
// Not found ... we're done!
if(router == NULL) return;
if(((router->hostNumIpAddress[0] != '\0')
// We have an IP address for the candidate router
// and it's BROADCAST or MULTICAST or not LOCAL:
&& (broadcastHost(router)
|| multicastHost(router)
|| (!subnetLocalHost(router)) /* No IP: is this a special
Multicast address ? */))
// OR the destination address IS that of the candidate router
|| (addrcmp(&router->hostIpAddress,&dstHost->hostIpAddress) == 0)
// OR the destination MAC address is that of the candidate router
|| (memcmp(router->ethAddress, dstHost->ethAddress,
LEN_ETHERNET_ADDRESS) == 0)
)
// We're also done...
return;
// Otherwise we are seeing a gateway/router
// Increment the counter and set the flag
incrementUsageCounter(&srcHost->contactedRouters, router,
actualDeviceId);
FD_SET(FLAG_GATEWAY_HOST, &router->flags);
updateRoutedTraffic(router);
}
}
Say we see a packet from IP1.1.1.1, MAC00:00:00:aa:bb:cc to IP192.168.1.2,
MAC00:00:00:dd:ee:ff
That's R->L
But we know from other traffic that MAC00:00:00:aa:bb:cc is really
IP192.168.1.1.
So we're seeing a packet that traversed the router/gateway and was
re-written with the a MAC address of the last hop per the Ethernet standard.
That tells ntop that the host is a gateway.
Note that an interface with multiple IPs also looks the same, which is one
of the reasons you might need the -o | --no-mac flag.
-----Burton
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Mathew Davies
> Sent: Wednesday, January 28, 2004 6:55 AM
> To: Ntop (E-mail)
> Subject: [Ntop] Local IP classifications
>
>
> In "Host (OS) Summary" there is Unhealthy Host classification column
>
> I was wondering what this was supposed to signify as a lot of my hosts
> appear in it?
>
> I have try searching the documentation for unhealthy but can't find any
> mention.
>
> Also does anyone know way a windows domain controller would appear in the
> gateway classification even though it provides no gateway service and
> doesn't even have a gateway set itself?
>
> I am using the current cvs updated on 28/1/2004
> -Mat
>
> ________________________________________________________________________
> This e-mail has been scanned for all viruses by Star Internet. The
> service is powered by MessageLabs. For more information on a proactive
> anti-virus service working around the clock, around the globe, visit:
> http://www.star.net.uk
> ________________________________________________________________________
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
