We've discussed this
on-list before. ntop stores more about 'local' hosts than remote ones, so
you pick what you need for your needs...
Many people use a -m list
combined with --track-local-hosts as a rough filter, vs. -B "". The
actually work differently - the -m + --track-local-hosts works separately on SRC
and DST, while using -B selects packets for processing or not according to the
BPF filter. You might even use all three - say you have packets crossing a
router for networks you simply don't care about.
Couple comments
in-line...
-----Burton
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Hoffswell
Sent: Tuesday, February 15, 2005 10:18 AM
To: [email protected]
Subject: RE: [Ntop] NetFlow Multiple Routers Multiple Interfaces
Ah -
Somehow I missed the local faq at http://myhost:3000/faq.html I had
been going with the docs/faq on the ntop website.
[BMSIII] There isn't
an FAQ on ntop.org. A lot on http://www.ntop.org is out of date. I've
asked Luca to remove obsolete stuff, but it doesn't seem to mesh with his
priorities. Maybe some kind soul would volunteer to update the pages for
him??
Chris' comments on multiple interfaces and networks hits home well.
My core wan router, in essense, has no "local networks", or lots of "local
networks", depending on the point of view.
My routers are west core and east core. The are the two hubs of
a dual hub-and-spoke network.
If I have eth0, netflow-router.1, and netflow-router-2, how do I define
multiple "local networks" for each different interface/device? -m is a
global setting, isn't it?
[BMSIII] Yup ...
from the docs on the netFlow configuration screen "If the NetFlow probe is monitoring only a single network, then this is
all you need to set. If the NetFlow probe is monitoring multiple networks, then
pick one of them for this setting and use the -m | --local-subnets parameter to
specify the others." it's not able to
handle multiple different sets.
Maybe I should just set my local subnets to
10.0.0.0/8,192.168.0.0/16,172.16.0.0/16 for everything? Everything but
internet traffic would be considered local across my 32 site wan...
Thanks!
Pete Hoffswell 616-732-1101 (Grand Rapids, x1101)
University LAN/WAN Coordinator 616-510-1198 (Mobile)
IT Services [EMAIL PROTECTED]
Davenport University http://www.davenport.edu
-=-=- LAN/WAN services: http://networker.davenport.edu -=-=-
>>>[EMAIL PROTECTED] 02/15/05 10:15 am >>>
You will need to send the flows to different
netFlow pseudo-devices (either on separate IPs or separate port #s depending
upon what your router can do).
As for the Virtual address setting, READ
docs/FAQ it's in there.
-----Burton
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pete Hoffswell
Sent: Tuesday, February 15, 2005 8:03 AM
To: [email protected]
Subject: [Ntop] NetFlow Multiple Routers Multiple Interfaces
Good day to you -
I'm a ntop newbie, but am not seeing documention or list conversations that
clairify this well.
I have two WAN routers with multiple serial interfaces, terminating wan
links to serveral sites.
I have ntop 3.1 running with the NetFlow plugin working. I have
two Netflow devices created, each sending the flows to ntop on a separate port
(2055 and 2056).
I have my routers configured to create flows on some of the serial
interfaces.
All looks pretty good.
Question 1: How do I view traffic on a per-interface basis? My
configuration seems to put all flows for a router into the one Netflow device
instance in ntop.
Instead of:
NetFlow-router.1 = NetFlow-device.1
NetFlow-router.2 = NetFlow-device.2
I would like to see, I think:
NetFlow-router1-serial.1 = NetFlow-device.1
NetFlow-router1-serial.2 = NetFlow-device.2
NetFlow-router1-serial.3 = NetFlow-device.3
NetFlow-router2-serial.1 = NetFlow-device.4
NetFlow-router2-serial.2 = NetFlow-device.5
NetFlow-router2-serial.3 = NetFlow-device.6
Question 2: What should I set my Virtual
NetFlow Interface Network Address to?
This may be the answer to question
one. The serial interfaces are just tiny ip networks to define the
wan link. They don't really define "local traffic"
Here's a single remote site example:
Serial link, wan router: 10.200.1.45/30
Ether link to lan router: 10.12.2.1/24
Lan 1 10.12.12.1/23
Lan 2 10.12.12.1/23
Lan 3 10.12.50.1/24
Lan 4 10.12.51.1/24
etc.
These networks are 1 (wan) or 2 (lan) hops away from
the netflow core wan router. In this case, how would I define "local
traffic" on the core wan router netflow setup in ntop?
Thanks!
Pardon my limited understanding of both ntop and NetFlow. I have
a feeling I'm barking up the wrong tree on this. Can someone help me
out?
Thanks!
Pete Hoffswell 616-732-1101 (Grand Rapids, x1101)
University LAN/WAN Coordinator 616-510-1198 (Mobile)
IT Services [EMAIL PROTECTED]
Davenport University http://www.davenport.edu
-=-=- LAN/WAN services: http://networker.davenport.edu -=-=-
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
