RE: [Ntop] ntop on a pcap file

Tue, 01 Mar 2005 04:53:42 -0800

OK, sure....  you need to terminate the capture file (i.e. end tcpdump), THEN feed it into ntop. ntop doesn't like files which haven't been cleanly terminated.  Same goes for using the -l | --pcap-log option - you need to end ntop so the file gets cleanly terminated or tcpdump won't eat it.
 
So anyway, the answer is that the file from tcpdump is read all at once.  ntop then 'stops capturing' and will display the (static) data until you shut it down.
 
-----Burton

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Didier Benza
Sent: Tuesday, March 01, 2005 3:27 AM
To: [email protected]
Subject: Re: [Ntop] ntop on a pcap file


Why are you trying this?  It's bogus - just use -B "filter" for the ntop instance.
Hello,

In the first place it was just a test of this function of ntop. I am considering the possibility to keep the raw Netflow data for shorts periods for security reasons. I wanted to test how I could use ntop to analyze this raw data. It was not my goal to make a test of a live tcpdump with a live ntop on it, it was a mistake (I did'nt stop tcpdump as I believed I did).

But when I saw the result, I was curious of what was displayed.

Thanks for your answer.
 
-----Burton

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Didier Benza
Sent: Monday, February 28, 2005 9:50 AM
To: [email protected]
Subject: [Ntop] ntop on a pcap file

Hello,

Here what I tried :
  • I started a tcpdump -w file.pcap dst host my_host and dst port 2055 &
  • A few minutes later, I launched ntop as a daemon with the -f file.pcap argument, the tcpdump was still (and is still) running. Ntop complained a little because it find the file.pcap to be a truncated file, but it processed it.
Now this very instance of ntop I launched on the pcap file a few hours ago displays in (Summary->Network load) a graph with the last hour. A long time after the moment I first launched ntop.

My question is : does ntop rescan the pcap file and display the evolution or does it display the actual time by error ?

I hope that I made myself clear :-[ .

-- 
Didier Benza                            [EMAIL PROTECTED]
Tel : +33 492 38 7167 /  Fax : +33 492 38 7602 
INRIA 2004, Route des Lucioles, BP  93, 06902 Sophia Antipolis Cedex
  

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
  

-- 
Didier Benza                            [EMAIL PROTECTED]
Tel : +33 492 38 7167 /  Fax : +33 492 38 7602 
INRIA 2004, Route des Lucioles, BP  93, 06902 Sophia Antipolis Cedex

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to