I don't know how the bond interface appears to libpcap - that's the key. Does snort use libpcap or does it do it's own low-level capture?
Let's see... If ntop can't figure it out from the NIC, you MUST use -m. No surprise here. Thought: Try -o | --no-mac - it's possible that the bonding driver is mucking w/ the low level frames. Second thought - turn on --trace-level 4 and see what pops up for the DLT messages during startup. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Miles Stevenson > Sent: Tuesday, June 22, 2004 11:51 AM > To: [EMAIL PROTECTED] > Subject: [Ntop] Strange behavior on bonded interface > > > I'm trying to run NTOP on a linux 2.4 box that is bonding 2 interfaces > together. The results I get are incorrect, and ntop starts > behaving strangely > depending on the options I give it. > > For example, when I specify a home-net (which is a must since the bonded > interface has no IP and ntop will be unable to determine the > local net for > itself), ntop only seems to be seeing traffic from specific hosts > on my home > net, and ignoring others. When I do not specify a home net, it > sees more of > my local hosts, but has no idea that they are local so the stats > aren't as > useful. > > I have a class C net (we'll use 172.16.2.0/24 as an example), > which is split > up into several smaller chunks. For example: > > 172.16.2.0/29 > 172.16.2.64/26 > 172.16.2.128/26 > ...etc... > > I get different results if I specify my home net as > 172.16.2.0/24, or specify > each smaller subnet using commas. I also get different results if > I use the > -g flag (show only local hosts), which doesn't make sense. For example: > > Without the -g flag, ntop may only show stats for host 172.16.2.15. > But when I add the -g flag, .15 dissappears, and now it shows > stats for .16, > but they BOTH are in my specified home-net range! > > I even get different results depending on how I notate the netmask! For > example, if I use: > > -m 172.16.2.0/24 > > I might see traffic ONLY from host .17 > > but if I say: > > -m 172.16.2.0/255.255.255.0 > > I see NO traffic from .17, but now start seeing traffic from .18! > > I also get different results if I use quotes or not (-m > 172.16.2.0/24 or -m > "172.16.2.0/24"). This makes absolutely no sense. > > I know there is not a hardware/OS problem, as I am running a > Snort/ACID setup > on the same box, listening on the same bond0 interface. It sees > all traffic > fine and behaves normally. > > No matter what combination of options I try, I can't seem to get > NTOP to see > all my hosts that I KNOW are generating lots of traffic on the > wire (we are > talking very busy web and mail servers here). > > Is anyone else out there successfully using ntop on a bonded > linux interface > or having the same wierd problems? > > -- > Miles Stevenson > [EMAIL PROTECTED] > PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63 > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
