On Fri, 20 Feb 2004, Burton M. Strauss III wrote:
> Interesting thought... hum...
>
> First off, if you recognize a problem, you can use the Admin | Change Filter
> option to suppress traffic in real time.
Understood, my problem here is that the nachi devices still infected tend
to be laptops.... So when I go to login to ntop it is hung and by that
time the laptop is on an airplane with the vendor on their way to the
next victim :)
> Would this work?
>
> Check both src and dst host. If either of them have the "no more" flag set,
> check the other host entry. If there's less than a small # (some threshold)
> in it's packet received counter, free it (call freeHostInfo() and stop
> processing the packet.
This sounds reasonable.
>
> You would spend some effort on the new host, only to throw it away, but it
> would keep ntop from creating 1000s of host records.
>
The key I believe is finding a reasonable threshold value. 1000s of hosts
don't seem to be that big of a deal, a busy nameserver could easily
produce that. While on the other hand a single nachi infected PC can
create 10,000+ in 1-3 seconds :).
>
> Let's talk about this after 3.0 is out the door.
>
Sounds good.
"Given enough time, all legal battles in the tech industry will invoke the
DMCA. This generally means that all constructive arguments have ended."
-NialScorva
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
