I'm running with eth0 and eth1 so I can watch both my corporate firewall (normal) or my interoffice link, when I switch NICs. Both segments lead back into my corporate network, I'm just watching them at the actual interfaces on the firewalls.
I have the opposite problem, I can't seem to get it to do much in the way of DNS lockups..... -- J. Eric Josephson Director of Network and System Operations 978-720-2159 mailto:[EMAIL PROTECTED] Sha Chancellor <[EMAIL PROTECTED] To: [EMAIL PROTECTED] .net> cc: Sent by: Subject: Re: [Ntop] Yet another DNS question.... [EMAIL PROTECTED] it 03/10/2004 04:17 PM Please respond to ntop Why do you use eth0 and eth1? Is this a host in bridging mode, or on mirrored ports? I was doing something similiar (I have a linux box running ntop in bridging mode in front of the router), If I used _BOTH_ i was getting double the traffic in my graphs and similiar. The box does QoS and a few other things so it has to be BETWEEN in my case, and not on mirrored ports. I have --track-local-hosts on and -i br0 and -m localsubnet. ntop still seems to be doing massive amounts of dns lookups. According to ntop the machine it's running on has already does 8 mBs of dns queries. However, in the ip summary->Traffic I only see the domain names for a few people. It's irritating me to no end. I want to run with sticky hosts, but if i do that without --track-local-hosts my machine quickly runs out of memory. Argh [EMAIL PROTECTED] wrote: >OK, I'm ready to take my mailing list beating... > >I looked through the old list postings and found similar questions and some >answers, but could not spot the information I was looking for. > >In my implementation of NTOP, I am watching all traffic going out of our >corporate firewall. NTOP seems to capture most DNS requests that traverse >the firewall. That is working fine. What I'm having a problem with is >that I have hundreds of internal machines that generate traffic to the >external world, but have no cause to have their own IP address resolved by >any traffic I can sniff. > >I am starting NTOP with the following: > >ntop -d -u ntop -i eth0,eth1 -M -o -m 10.0.0.0/8 -p /etc/protocols.ntop -P >/tmp > >and have all of my subnets broken down into 24 bit masks. i.e 10.12.54.x, >10.12.44.x etc... > >I am using today's CVS pull, but have had this "problem" for a very long >time. > >I there a way I can specify what address to aggressively do reverse name >resolution on or simply to have NTOP actively resolve all IP addresses, >thus more completely populating my internal machine addresses with names? > >-- > >J. Eric Josephson >Director of Network and System Operations >978-720-2159 >mailto:[EMAIL PROTECTED] > > > >_______________________________________________ >Ntop mailing list >[EMAIL PROTECTED] >http://listgateway.unipi.it/mailman/listinfo/ntop > > > > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
