It's amusing in a sad way how the wheel turns. Blow the dust out of your mind ... think way, way back to the dawn of time. Remember FTP?
FTP is the protocol that's the model for these - there is a communications port which decides what random ports to use. And you are right, without seeing the setup details (deep packet inspection), you can't track this. Most of the protocols defined since then follow what we think of as the normal model - a server port with a random response port - so you can classify packets based upon one recognized port. Now you have a new generation of protocols more similar to FPT - SIP, H.323, etc. (Note that W/ Exchange, you can lock it down to standard ports if you want - this option exists to make it easier to traverse firewalls). Since these protocols use random ports, you can never build a protocols file that will handle then - essentially any port >= 1024 can be used. At best, your file represents the non-random 'random' assignments, e.g. SIP starts assigning ports at X, while H.323 starts at Y. But run enough SIP calls and the ranges will collide. You are right about netFlow - since it summarizes packets, the information isn't available for deep packet inspection. Unless there's something that can be built into the templates of V9. But you are wrong that ntop can't handle them - it just takes coding. Yes, these won't be perfect - they'll will have the same flaws as our handling of ftp does. But ANY inspection based monitor will have the same issues - setup packets it can't see make things opaque. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Humphrey Sent: Sunday, June 26, 2005 5:36 PM To: [email protected] Subject: [Ntop] I love ntop, but... Hi People, I've been using Ntop for a number of years now and I love it (great work Luca/Burton!). In the last year or so I switched to using it's NetFlow support to monitor our WAN. But now it would appear that I've reached it's limits... (unless I've missed something) We now appear to have two if not three applications on our network that use seemingly random ports, which makes classifying and tracking them a real pain. They are VoIP (http://www.mitel.com/DocController?documentId=9555&c=9511&sc=9514), MS Exchange2003 with Outlook 2003 (http://www.microsoft.com/exchange/default.mspx) and AfterMail (http://www.aftermail.com/). I need to do some more research, but even after building a protocols file based on port lists from IANA (http://www.iana.org/assignments/port-numbers) and Graffiti (http://www.graffiti.com/services), I still get more traffic assigned to "Other" than any other type. I think this means I've reached the point where I need packet inspection to assist in determining traffic type. Which counts out NetFlow... And I think will count out Ntop in general. Can anyone provide any hints or suggestions? Other than porting some other projects packet-inspection module (sorry, I just don't have the time). BTW My little monitoring box (P3 766MHz 384Meg, FedoraCore 2) does a remarkable job of coping with about 4000 protocols for our 10Mbit/s WAN, unless I hit the Summary | Traffic page too often. The box also uses MRTG and SmokePing. If anyone would like a copy of the huge (~64K) protocols file, just ask me off list. Later'ish Craig _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
