As always, remember that if you're connecting ntop to the LAN via a switch, all you'll see is the broadcast traffic, so there won't be any DNS traffic to sniff...
-----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, March 10, 2004 3:18 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: [Ntop] Yet another DNS question.... > > > > I'm running with eth0 and eth1 so I can watch both my corporate firewall > (normal) or my interoffice link, when I switch NICs. Both segments lead > back into my corporate network, I'm just watching them at the actual > interfaces on the firewalls. > > I have the opposite problem, I can't seem to get it to do much in the way > of DNS lockups..... > > -- > > J. Eric Josephson > Director of Network and System Operations > 978-720-2159 > mailto:[EMAIL PROTECTED] > > > > > > Sha Chancellor > > <[EMAIL PROTECTED] To: > [EMAIL PROTECTED] > .net> cc: > > Sent by: Subject: Re: > [Ntop] Yet another DNS question.... > [EMAIL PROTECTED] > > it > > > > > > 03/10/2004 04:17 > > PM > > Please respond to > > ntop > > > > > > > > > > Why do you use eth0 and eth1? Is this a host in bridging mode, or on > mirrored ports? I was doing something similiar (I have a linux box > running ntop in bridging mode in front of the router), If I used _BOTH_ > i was getting double the traffic in my graphs and similiar. The box > does QoS and a few other things so it has to be BETWEEN in my case, and > not on mirrored ports. I have --track-local-hosts on and -i br0 and -m > localsubnet. ntop still seems to be doing massive amounts of dns > lookups. According to ntop the machine it's running on has already does > 8 mBs of dns queries. However, in the ip summary->Traffic I only see > the domain names for a few people. It's irritating me to no end. I > want to run with sticky hosts, but if i do that without > --track-local-hosts my machine quickly runs out of memory. Argh > > [EMAIL PROTECTED] wrote: > > >OK, I'm ready to take my mailing list beating... > > > >I looked through the old list postings and found similar questions and > some > >answers, but could not spot the information I was looking for. > > > >In my implementation of NTOP, I am watching all traffic going out of our > >corporate firewall. NTOP seems to capture most DNS requests > that traverse > >the firewall. That is working fine. What I'm having a problem with is > >that I have hundreds of internal machines that generate traffic to the > >external world, but have no cause to have their own IP address > resolved by > >any traffic I can sniff. > > > >I am starting NTOP with the following: > > > >ntop -d -u ntop -i eth0,eth1 -M -o -m 10.0.0.0/8 -p > /etc/protocols.ntop -P > >/tmp > > > >and have all of my subnets broken down into 24 bit masks. i.e 10.12.54.x, > >10.12.44.x etc... > > > >I am using today's CVS pull, but have had this "problem" for a very long > >time. > > > >I there a way I can specify what address to aggressively do reverse name > >resolution on or simply to have NTOP actively resolve all IP addresses, > >thus more completely populating my internal machine addresses with names? > > > >-- > > > >J. Eric Josephson > >Director of Network and System Operations > >978-720-2159 > >mailto:[EMAIL PROTECTED] > > > > > > > >_______________________________________________ > >Ntop mailing list > >[EMAIL PROTECTED] > >http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > > > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
