DNS resolution attempts 239008 ....Success: Resolved 239008 ....Failed 0 DNS lookups stored in cache 239008 Host addresses kept numeric 0
But they don't show up as names when I look at the hosts page. I'm wondering why? I'm running Ntop 3.0pre2.
I'm assuming by DNS lockup you mean lookup?
[EMAIL PROTECTED] wrote:
I'm running with eth0 and eth1 so I can watch both my corporate firewall (normal) or my interoffice link, when I switch NICs. Both segments lead back into my corporate network, I'm just watching them at the actual interfaces on the firewalls.
I have the opposite problem, I can't seem to get it to do much in the way
of DNS lockups.....
Why do you use eth0 and eth1? Is this a host in bridging mode, or on mirrored ports? I was doing something similiar (I have a linux box running ntop in bridging mode in front of the router), If I used _BOTH_ i was getting double the traffic in my graphs and similiar. The box does QoS and a few other things so it has to be BETWEEN in my case, and not on mirrored ports. I have --track-local-hosts on and -i br0 and -m localsubnet. ntop still seems to be doing massive amounts of dns lookups. According to ntop the machine it's running on has already does 8 mBs of dns queries. However, in the ip summary->Traffic I only see the domain names for a few people. It's irritating me to no end. I want to run with sticky hosts, but if i do that without --track-local-hosts my machine quickly runs out of memory. Argh>
[EMAIL PROTECTED] wrote:
OK, I'm ready to take my mailing list beating...some
I looked through the old list postings and found similar questions and
answers, but could not spot the information I was looking for.
In my implementation of NTOP, I am watching all traffic going out of our corporate firewall. NTOP seems to capture most DNS requests that traverse the firewall. That is working fine. What I'm having a problem with is that I have hundreds of internal machines that generate traffic to the external world, but have no cause to have their own IP address resolved by any traffic I can sniff.
I am starting NTOP with the following:
ntop -d -u ntop -i eth0,eth1 -M -o -m 10.0.0.0/8 -p /etc/protocols.ntop -P /tmp
and have all of my subnets broken down into 24 bit masks. i.e 10.12.54.x, 10.12.44.x etc...
I am using today's CVS pull, but have had this "problem" for a very long time.
I there a way I can specify what address to aggressively do reverse name
resolution on or simply to have NTOP actively resolve all IP addresses,
thus more completely populating my internal machine addresses with names?
_______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
