? make sure that the -p /usr/share/ntop/protocol.list is populated. I personally use (on RH9) -p /etc/services as that list is fairly complete.
________________________________
From: [EMAIL PROTECTED] on behalf of Jorge Carminati
Sent: Thu 8/26/2004 6:03 AM
To: [EMAIL PROTECTED]
Subject: [Ntop] Traffic classification
Hi! I'm quite an ntop newbie, so please be nice :)
I'm running ntop release '3.0 SourceForge RPM' with Linux 2.4.27 and am
having quite a strange problem that I'll try to explain as clear as
possible (let me know otherwise):
If for example I initiate an ftp session to a remote server located
inside our WAN and then I start downloading some files, ntop will
classify this traffic in the 'Other IP' category, that's 'IP Summary ->
Traffic'. Due that this traffic has a destination for port 21 I
expected it to appear in the 'File Transfer' column..., so what can be
wrong ?
I've monitored with tcpdump from the ntop host for a couple of minutes
and all the traffic is correctly been displayed, I mean, the source and
destination ports are the correct one:
16:53:48.049383 10.60.240.13.20 > 10.2.2.11.1751: . 1:1461(1460) ack 0
win 8760 (DF)
16:53:48.064344 10.60.240.13.20 > 10.2.2.11.1751: . 1461:2921(1460) ack
0 win 8760 (DF)
16:53:48.064844 10.2.2.11.1751 > 10.60.240.13.20: . ack 2921 win 64240
(DF)
16:53:48.250676 10.60.240.13.20 > 10.2.2.11.1751: . 4381:5841(1460) ack
0 win 8760 (DF)
16:53:48.251199 10.2.2.11.1751 > 10.60.240.13.20: . ack 2921 win 64240
(DF)
16:53:48.338420 10.60.240.13.20 > 10.2.2.11.1751: . 2921:4381(1460) ack
0 win 8760 (DF)
16:53:48.338960 10.2.2.11.1751 > 10.60.240.13.20: . ack 5841 win 64240
(DF)
>From the ftp client (M$ XP) a 'netstat -n' will show:
TCP 10.2.2.11:1747 10.60.240.13:21 ESTABLISHED
TCP 10.2.2.11:1751 10.60.240.13:20 ESTABLISHED
>From ntop 'IP Summary -> Traffic' it's displayed:
host = 10.2.2.11
Data = 4.1 MB 40%
File Transfer = 4.4KB
Other IP = 3.6MB (increasing)
ntop was started with these parameters:
/usr/bin/ntop -i eth0 --user ntop --daemon --db-file-path
/usr/share/ntop --interface eth0 -p /usr/share/ntop/protocol.list
--trace-level 3 --https-server 3000 --no-mac --track-local-hosts
--disable-schedyield -r 300 -j -n --w3c -w 0 -b
I've also tried with -m 10.1.0.0/255.255.0.0, 10.2.0.0/255.255.0.0 but
it seems not to be related to my problem.
The ethernet switch is a Cisco Catalyst 6509 with SPAN enabled to
mirror all the traffic from/to 10.60.*
**Please CC as I'm not subscribed.
Any comment will be greatly appreciated, thanks in advance.
J. Carminati.
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
<<winmail.dat>>
_______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
