Your boss needs some remedial network training. Plugging it into a switch will only allow it to see (when the port is normally configured) only that traffic that is either a) addressed directly to that port or b) broadcasts that hit that switch.
If you want it to see more traffic, there are two general strategies. 1) I am currently using NTOP to monitor traffic that our firewall sees. To do this, I have the NTOP box and my firewall's internal port both plugged into a hub, which is in turn plugged into a port on my backbone switch. That way, NTOP sees everything the firewall sees on the firewall's internal port. 2) Any good managed switch (layer 2 - not, unfortunately, my layer 3 Cisco 2948G-L3 switch, though other layer 3 switches might differ) will allow you to do what is variously called either port spanning or port mirroring, which means that all of the traffic that appears on port A is directed to appear on port B. Plugging your NTOP box into a port Bwill allow you to monitor the traffic from port A, which presumably contains the traffic you want to monitor. Kurt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Michael Handiboe Sent: Monday, March 15, 2004 15:01 To: [EMAIL PROTECTED] Subject: [Ntop] plea for information NTOPsters, I joined today .... under pressure. I have been working with NTOP for a while, trying to get it to see "all" network traffic on our network. My boss has concluded that all NTOP can see is broadcast traffic and therefore he has a low opinion of what I believe to be a fine product (I'm not so quick to accuse PhD's of lousy software, Luca) and I have discovered that, by-golly, NTOP does report what it sees and it only sees what traverses the computer system it's actually running on. (hang on ....) My boss is also convinced that all switches (yeah ...) have the feature where all traffic occuring via that switch will be visible to all ports on the switch, and, since NTOP is plugged into a switch (a 3Com 3300TM), all traffic on that switch should be reported by NTOP. He uses the word "backplane" a lot. The NTOP machine is Fedora Core 1 with the "pre1" rpm from SourceForge. I have it listening for all the data I am interested in and I know that it can see whatever traverses the NTOP machine. I also presently have the NIC forced to promiscous mode. I also have a separate machine running NetProbe, it's on Slackware 9.1 and the NIC is not in promiscous mode. Both machines are plugged into the same 3Com switch. NetProbe sees much more traffic/activity. Question 1: Is it true that NTOP must be plugged into a hub to see "all" network traffic? Question 2: Does anyone else think of switches like my boss does? Question 3: Anyone willing to comment as to why NetProbe sees much more than NTOP on our 3Com switch? Thanks to anyone willing to take this one. Feel free to call names and be mean, if necessary. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
