So you have two completely different technologies showing the same thing and you want us to explain why BOTH are wrong?? I'd start at the other end - check for switch attacks such as ARP poisoning etc. - Maybe you need to install tcpdump and capture some packets showing the traffic on your switch port that's not addressed to you, then kick it back into their lap.
Read man ntop for the -B "filter" option. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Damir Dezeljin Sent: Monday, March 28, 2005 6:43 AM To: Ntop mailing list Subject: [Ntop] 'Strange' input trafic Hi. I have a server running Debian Woody. It is located in my ISP's computer room. It is connected to the local LAN (/24 subnet - 255.255.255.0). My ISP is charging me for every income MB above N GBs (only income). Every month I get a graph with an 'average' daily traffic. After getting an big bill for the last December, I start monitoring the traffic using various programs. Currently I'm using ntop which is the better I tried. The 'strange' thing is that the incoming traffic is a somehow 'mirror' of the outgoing traffic. I can't understand this. It seams that e.g. every downloaded image from my server is logged in the outgoing as well in the incoming traffic of ntop. The graph provided by the ISP shows the same situation. I can't understand this as my server is mainly used for my web hosting. So upload traffic should be small compared to the outgoing. However this is not true ... the outgoing traffic is nearly same (I'm not sure if it is exactly same) as incoming. BTW: My ISP is monitoring the traffic by using SNMP on the SWITCH where my server is connected to. So they are just monitoring incoming and outgoing traffic on my SWITCH port. Do anyone have a hint what is going on and how can I solve this problem? The next thing I would like to do is configure ntop (running on my server) to monitor ONLY traffic to / from my server. I didn't find a way to configure ntop to 'ignore' my local gateway in the report (which reassemble all my traffic) nor I know how can I exclude traffic send / received by other servers on the same subnet (BTW: as I know, I should not see this traffic as I'm connected to a switch!) - I'm not sure what is the current situation, however on beginning of February I was able to see also traffic from a neighbor server. Any idea? Best regards, Dezo _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
