-M with only one active interface is meaningless. Assuming the mirrored port is unnumbered, you need to tell ntop the local address ranges - otherwise everything is remote.
-----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Brian Worrell > Sent: Thursday, June 03, 2004 11:06 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [Ntop] Cisco Port mirror and NTOP > > > Hello Chris, > > Thank you very much for replying to my previous enquiries about ntop. I > really > appreciate it. We're still unable to get ntop to do what we need. > Following is > a more detailed description of what we'd like to do and the > problems we're > having. > > We have a switch which sits between a router and a server. We'd like to > view > all traffic going both directions between the router and the server. > > ----------- ----------- ---------- > | Router | --------| Switch | ---------- | Server | > ----------- ----------- ---------- > | | > | | > | | > | | 0 > | ---------------------| ntop > on Linux | > | > | 1 > | > ------------------------------------- > > The switch is capable of "port mirroring" whereby all traffic > going through > one > port (to the server) is mirrorred to another port (the Linux box running > ntop on > eth0). We have a second ethernet interface on the Linux box > (eth1) which we > use > to access ntop and view the network traffic stats in a web browser. > > We start ntop with "ntop -M -i eth0" so that it separates traffic by > interface > and listens on eth0. > > The problem is that when we do this, we are unable to view the > local matrix > (Local IP/Local Matrix) in ntop. > > Do you have any suggestions on how we might configure our ethernet > interfaces/ntop so that we can view the local matrix? > > Muchos Gracias for your help! > > Brian Worrell > Network Manager > IU Medical Group > 317-860-2737 > > > -----Original Message----- > From: Chris Moore - GMD [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 02, 2004 8:07 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [Ntop] Cisco Port mirror and NTOP > > oops, sorry for the subject confusion. My faux-paux. > > Here's what I do: I start ntop as a service at boot. In my /etc/ntop.conf > file I specify the interfaces (eth1, eth2) to listen on with the > -i flag. I > do not assign addresses to the interfaces I listen on. In this case, ntop > brings the interfaces up without IPs. If I shut one down with ifconfig, I > have to reboot the machine to bring it back up; ifconfig will not bring it > up w/ no IP. So my ifconfig output ends up looking like this > (just to prove > I'm not making this up! ;-) ): > > eth0 Link encap:Ethernet HWaddr 00:04:AC:25:F1:69 > inet addr:10.12.232.223 Bcast:10.12.232.255 Mask:255.255.255.0 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:534 errors:0 dropped:0 overruns:0 frame:0 > TX packets:104 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:49975 (48.8 Kb) TX bytes:23282 (22.7 Kb) > Interrupt:9 Base address:0xef40 Memory:fb9ff000-fb9ff038 > > eth1 Link encap:Ethernet HWaddr 00:04:76:D4:03:09 > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:36960 errors:0 dropped:0 overruns:1 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:6762554 (6.4 Mb) TX bytes:0 (0.0 b) > Interrupt:7 Base address:0xec00 > > eth2 Link encap:Ethernet HWaddr 00:10:4B:2B:47:9D > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:801 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:158340 (154.6 Kb) TX bytes:0 (0.0 b) > Interrupt:10 Base address:0xee80 > > > Chris > > > > -----Original Message----- > > Date: Tue, 1 Jun 2004 18:27:58 -0500 > From: Brian Worrell <[EMAIL PROTECTED]> > Subject: RE: [Ntop] Cisco Port mirror and NTOP > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > > > > I have tried that, and I also tried a different OS, I had fedora, I > tried SUSE 9.1, also RedHat 9. All seem to have the same issue, without > an IP, the interface does not come up, at least where NTOP can see it. > I do not think this is an NTOP issue, but a Linux question. Does anyone > know how to bring up the interface without having an IP? > > Brian Worrell > Network Manager > IU Medical Group > 317-860-2737 > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
