RE: [Ntop] VLAN Tags

[Burton M. Strauss III]

Craig's right - if you have an 802.1q port and just want to see ONE vlan from it, that's the filter!     Remember that ntop will eat any standard bpf filter _expression_ in the -B"" tag, just be aware that they don't all make sense... this is because if the bpf filter selects a packet, ntop will still process the entire packet - it does not filter the hosts (src and dst) against the filter _expression_.   You need to think these through itteratively, what packets will be selected (1) and what will ntop do with them (2).   Also, don't forget that ntop is both layer 2 (MAC address) and layer 3 (TCP/IP), so filtering on the mac level address may give better results. -B "ether dst 00:00:00:00:00:00" will grab ALL traffic to the machine, regardless of tcp/ip addressing and regardless of whether it's tcp/ip traffic!  This is often what you really want to see 'tell me everything about Joe's machine'.   Say you have these packets   a.b.c.d -> w.x.z.y w.x.y.z -> a.b.c.d ARP(a.b.c.d)  (a who has broadcast) a.b.c.f -> a.b.c.d   -B "ip and host a.b.c.d" sees ALL of those packets except the ARP   -B "ip and host w.x.y.z" sees only #1 and #2, but will create a host record for a.b.c.d also   -B "ether host 00:00:00:00:00:00" - will show you everything for that host, i.e. all 4 packets if that's the MAC address for a.b.c.d   -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Craig Humphrey Sent: Monday, February 02, 2004 2:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [Ntop] VLAN Tags Try -B "vlan 6" as a parameter to ntop.  It works for me.  And yeah, it took me ages to figure that out.... but I'm just dumb :)   -----Original Message----- From: Ennul Ennui [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 8:09 AM To: [EMAIL PROTECTED] Subject: [Ntop] VLAN Tags I've been reading through the documentation and the forums but I haven't found a clear answer to this question, so I figure it can't hurt to ask it.   I'm running NTOP on an install of Fedora. It works fine when I plug it into my local network. I set up a mirrored port of our internal firewall port to use to monitor traffic using NTOP. When I switched NTOP to this other interface I only receive OSI/Bridge/VLAN traffic. After looking at the tcpdump of the interface I realize that the traffic is being VLAN tagged.