RE: [Ntop] plea for information::Update

Fri, 26 Mar 2004 09:24:53 -0800 

Yup.  No matter how you 'mirror' traffic into ntop, switches will still hide
traffic as part of doing their job.  That's why expensive, managed switches
are best...

That said, there are two ways to create 'mirror' type views of specific
links.  You don't see all the traffic on the SWITCH, but you do see all the
traffic on the LINK.

1) Use the passive tap we've been discussing on this list (from snort.org),
but remember you'll need TWO NICs.  You can either bond the two sides
together in the kernel (if the drivers support this) or let ntop's interface
merge do this automatically (as long as you don't have any virtual -
netFlow/sFlow - devices which disable the merge).

2) You can use a hub to create a copy of the traffic.  HOWEVER, you need a
true hubs (NOT a switching hub) (old cheap units are best!!!).  To do this,
turn this:

  +----------+
  | Backbone |
  |  Switch  |
  +----------+
        |
        |
  +----------+
  |  Switch  |
  +----------+

Into this:

  +----------+
  | Backbone |
  |  Switch  |
  +----------+
        |
      +---+
      +HUB+------------------>ntop (***UNNUMBERED PORT***)
      +---+
        |
  +----------+
  |  Switch  |
  +----------+

-----Burton


> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Michael Handiboe
> Sent: Friday, March 26, 2004 10:14 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Ntop] plea for information::Update
>
>
> Hi everyone.
>
> I've finally got my ONE manageable switch "programmed" to
> mirror an uplink port to a standard port and NTOP is plugged
> into the standard port.  Unfortunately, the other switches are "dumb"
> and I can only speculate as to how much of my total network
> traffic is being seen by NTOP.
>
> We are all in "wow" status right now and are still discovering the
> wonderful world of NTOP.
>
> Mighty fine job Luca and Burton.  Thanks a whole bunch.
> Even The Boss is impressed.  Now you guys REALLY should
> feel good about yourselves!!! :-)
>
> I have a few issues/questions, but I want to get more knowledge before
> posting here.
>
> ---Michael
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to