I am trying to get rid of the vague "Other Protocols" I wanted to narrow them down a little, so I wrote myself a script to include every port in the /usr/share/ntop/protocols.list, and ran it and it gave me a healthy file, but I still get 77% "Other TCP/UDP-based Protocols." under [IP Summary]->[Distribution]. Should It not be in one of the categories I defined? Is there a way to tell what this traffic is? (besides watching the wire, which would defeat the purpose of running ntop) Is there traffic that is *always* Other TCP/UDP-based Protocols?
I am using ntop-3.0-0 from a src.rpm on a RedHat 7.2 Machine. Any Ideas would be appreciated. Specifics below my .sig Thanks in advance. ---------------------------------------------------------------------- James S. White (334) 467-6954 [EMAIL PROTECTED] 220 Hidden Valley Rd http://www.jameswhite.org Danville, AL 35619 ---------------------------------------------------------------------- A deep, unwavering belief is a sure sign that you're missing something. Resulting protocol.list: (It's one line on the server, I'm using Webmail) FTP=ftp|ftp-data,HTTP=http|www|https,DNS=name|domain,Telnet=telnet|login,NBios-IP=netbios-ns|netbios-dgm |netbios-ssn,POP=pop-2|pop-3|kpop,SNMP=snmp|snmp-trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-status,X1 1=6000-6010,SSH=ssh,P2P=1214|kazaa|6881-6889|bittorrent|gnutella-svc|gnutella-rtr,MAIL=pop3|pop2|imap2|i map3|smtp,DB=postresql|mysql,NON_ASSGN_PRIV=0|2-4|6|8|10|12|14|16|24|26-36|38|40-41|44-48|51-52|54-62|64 -66|75-78|81-87|89-94|96-97|99-100|103-104|108|112|114|116|118|120-122|124-136|140-142|144-160|165-173|1 75-176|180-190|192-193|195-198|200|203|205|207-208|211-212|214-219|221-244|246-362|364-368|371|373-388|3 90-426|428-433|436-442|446-463|466-467|469-486|489-495|497-499|501-511|516|522-524|527-529|534|536-537|5 39|541-542|545|549-553|555|557-562|564|566-586|588-609|613-615|617-635|637-673|675-693|695-748|753|755-7 59|761-764|766|768-807|809-870|872|874-900|902-952|954-991|996-1024,ASSGN_PRIV=tcpmux|rje|echo|discard|s ystat|daytime|netstat|qotd|msp|chargen|fsp|time|rlp|nameserver|nicname|tacacs|re-mail-ck|whois++|bootps| bootpc|tftp|gopher|netrjs-1|netrjs-2|netrjs-3|netrjs-4|finger|kerberos|supdup|linuxconf|hostname|iso-tsa p|csnet-ns|poppassd|rtelnet|sunrpc|auth|sftp|uucp-path|ntp|imap|snmptrap|cmip-man|cmip-agent|mailq|xdmcp |nextstep|bgp|prospero|irc|smux|at-rtmp|at-nbp|at-echo|at-zis|qmtp|z39.50|ipx|link|rsvp_tunnel|rpc2portm ap|codaauth2|ulistproc|ldap|svrloc|mobileip-agent|mobilip-mn|snpp|microsoft-ds|kpasswd|smtps|photuris|sa ft|gss-http|pim-rp-disc|isakmp|biff|who|syslog|printer|talk|ntalk|utime|router|ripng|timed|tempo|courier |conference|netnews|netwall|iiop|gdomap|uucp|klogin|kshell|dhcpv6-client|dhcpv6-server|afpovertcp|rtsp|r emotefs|nntps|whoami|submission|npmp-local|npmp-gui|hmmp-ind|gii|ldaps|acap|ha-cluster|kerberos-adm|kerb eros-iv|kerberos_master|passwd_server|krb5_prop|krbupdate|webster|phonebook|omirr|supfilesrv|rsync|swat| rndc|telnets|imaps|ircs|pop3s,NON_ASSGN=1025-1079|1081-1108|1110-1126|1128-1177|1179-1213|1215-1235|1237 -1299|1301-1312|1314-1432|1435-1493|1495-1511|1513-1523|1526-1528|1530-1644|1647-1648|1650-1700|1702-171 7|1721-1757|1759-1788|1790-1811|1814-1910|1912-1984|1987-1996|1998-2002|2004-2048|2050-2052|2054-2101|21 06-2149|2151-2400|2402-2429|2434-2808|2810-2987|2989-3127|3129|3131-3305|3307-3345|3347-3454|3456-4320|4 322-4443|4445-4556|4558|4560-5001|5003-5231|5233-5307|5309-5353|5356-5431|5433-5679|5681-5998|6011-6666| 6668-6880|6890-6999|7010-7099|7101-7665|7667-8007|8009-8079|8082-9099|9101-9358|9360-9875|9877-10079|100 84-11370|11372-11719|11721-20010|20013-24553|24555-25999|26001-26207|26209-27373|27375-33433|33435-49151 ,ASSGN=socks|supfiledbg|skkserv|rmtcfg|h323hostcallsc|xtel|ms-sql-s|ms-sql-m|ica|wins|ingreslock|prosper o-np|support|datametrics|sa-msg-port|kermit|l2tp|h323gatedisc|h323gatestat|h323hostcall|tftp-mcast|hello |radius|radius-acct|mtp|hsrp|licensedaemon|gdp-port|cfinger|knetd|zephyr-srv|zephyr-clt|zephyr-hm|eklogi n|ninstall|cvspserver|venus|venus-se|codasrv|codasrv-se|corbaloc|afbackup|squid|icpv2|trnsprntproxy|prsv p|rwhois|krb524|fax|hylafax|rfe|sgi-dgl|cfengine|noclog|hostmon|postgres|canna|cvsup|x11|x11-ssh-offset| ircd|afs3-fileserver|afs3-callback|afs3-prserver|afs3-vlserver|afs3-kaserver|afs3-volser|afs3-errors|afs 3-bos|afs3-update|afs3-rmtsys|xfs|tircproxy|http-alt|webcache|tproxy|jetdirect|mandelspawn|sd|amanda|kam anda|amandaidx|amidxtape|pgpkeyserver|h323callsigalt|isdnlog|vboxd|binkp|quake|wnn6-ds|asp|traceroute,NO N_ASSN_DYN=49152-65535 ###################################################################### # Usage ./ntop_portlist.pl > /usr/share/ntop/protocol.list ###################################################################### #!/usr/bin/perl # This is the default list from the man page add to it for your specific needs: $monitored="FTP=ftp|ftp-data,HTTP=http|www|https,DNS=name|domain,Telnet=telnet|login,NBios-IP=netbios-ns|netbios-dgm|netbios-ssn,POP=pop-2|po p-3|kpop,SNMP=snmp|snmp-trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-status,X11=6000-6010,SSH=ssh"; # My specific needs $monitored=$monitored.","."P2P=1214|kazaa|6881-6889|bittorrent|gnutella-svc|gnutella-rtr,MAIL=pop3|pop2|imap2|imap3|smtp,DB=postgresql|mysql" ; #just listify the ports in $monitored @monlist=listofports($monitored); #Read in the services file, the more complete this is, the better open SERVICES, "/etc/services"; while(<SERVICES>){ s/#.*//g; s/\/[tu][cd]p.*//g; unless(m/^\s*$/){ m/(\S+)\s+(\S+)/; $ports{$2}=$1; push(@spellcheck,$1); } } close SERVICES; # spellchecker foreach (@monlist){ unless(m/^\d+$/){ unless(isin($_,@spellcheck)){ print STDERR "$_ in list to monitor, but NOT in /etc/services. Spelling error maybe?\n"; } } } # Go through the ports for($i=0;$i<1025;$i++){ if($ports{$i}){ push(@priv_assn,$ports{$i}) unless(isin($ports{$i},@monlist)); }else{ push(@priv_unassn,$i) unless(isin($i,@monlist)); } } for($i=1025;$i<49152;$i++){ if($ports{$i}){ push(@assn,$ports{$i}) unless(isin($ports{$i},@monlist)); }else{ push(@unassn,$i) unless(isin($i,@monlist)); } } $assgn_priv=join("|",@priv_assn); $assgn=join("|",@assn); $non_assgn_priv=join("|",ranges(@priv_unassn)); $non_assgn=join("|",ranges(@unassn)); $non_assn_dyn="49152-65535"; print "$monitored,"; print "NON_ASSGN_PRIV=$non_assgn_priv,"; print "ASSGN_PRIV=$assgn_priv,"; print "NON_ASSGN=$non_assgn,"; print "ASSGN=$assgn,"; print "NON_ASSN_DYN=49152-65535\n"; exit 0; #########################SUBROUTINES###################################### sub ranges{ my @[EMAIL PROTECTED]; my @rangedports; # find all number series and replace them with n-m ranges for($j=0;$j<$#listports;$j++){ if($listports[$j]+1 == $listports[$j+1]){ $first=$listports[$j]; while($listports[$j+1] == $listports[$j]+1){ $j++ }; $last=$listports[$j]; push(@rangedports,$first."-".$last); }else{ push(@rangedports,$listports[$j]); } } return @rangedports; } sub isin{ ($element,@array)[EMAIL PROTECTED]; foreach $item (@array){ if($item eq $element){ return 1; } } return 0; } sub listofports{ my ($monitored)=(@_); # Get it in a more useable form; my @monitored=split(/,/,$monitored); foreach $port (@monitored){ $port=~s/.*=//g; @tmplist=split(/\|/,$port); push(@newlist,@tmplist); } foreach $p (@newlist){ if($p=~m/(\d+)-(\d+)/){ for($l=$1;$l<=$2;$l++){ push(@finlist,"$l"); } }else{ push(@finlist,$p); } } return @finlist; } ########################################################################### _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
