Well, Dave's answer isn't quite correct either.
Layer 3 protocols are specified by the -p | --protocols file, just as
described in the man page and FAQ.
-p | --protocols
This parameter is used to specify the TCP/UDP protocols that ntop
will monitor. The format is
<label>=<protocol list> [, <label>=<protocol list>], where label
is used to symbolically identify
the <protocol list>. The format of <protocol list> is
<protocol>[|<protocol>], where <protocol> is
either a valid protocol specified inside the /etc/services file or a
numeric port range (e.g. 80, or
6000-6500).
A simple example is
--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data", which reduces the
pro-
tocols displayed on the "IP" pages to three:
Host Domain Data HTTP FTP Other IP
ns2.attbi.com <flag> 954 63.9 % 0 0 954
64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
If the <protocol list> is very long you may store it in a file (for
instance protocol.list). To do
so, specify the file name instead of the <protocol list> on the
command line. e.g. ntop -p proto-
col.list
If the -p parameter is omitted the following default value is used:
FTP=ftp|ftp-data
HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
DNS=name|domain
Telnet=telnet|login
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
DHCP-BOOTP=67-68
SNMP=snmp|snmp-trap
NNTP=nntp
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
X11=6000-6010
SSH=22
Peer-to-Peer Protocols
----------------------
Gnutella=6346|6347|6348
Kazaa=1214
WinMX=6699|7730
DirectConnect=0 Dummy port as this is a pure P2P protocol
eDonkey=4661-4665
Instant Messenger
-----------------
Messenger=1863|5000|5001|5190-5193
NOTE: To resolve protocol names to port numbers, they must be
specified in the system file used to
list tcp/udp protocols and ports, which is typically /etc/services
file. You will have to match the
names in that file, exactly. Missing or unspecified (non-standard)
ports must be specified by num-
ber, such as 3128 in our examples above.
If you have a file named /etc/protocols, don't get confused by it,
as that's the Ethernet protocol
numbers, which are not what you're looking for.
and
Q. What are the default protocols ntop monitors?
A. (These are the ones ntop monitors if the user does not supply a -p
parameter)
Check addDefaultProtocols() in ntop.c around line 525.
The current list (December 2004) is
Protocol Ports
-------- -----
FTP ftp ftp-data
HTTP http www https 3128 /* 3128 is HTTP cache */
DNS name domain
Telnet telnet login
NBios-IP netbios-ns netbios-dgm netbios-ssn
Mail pop-2 pop-3 pop3 kpop smtp imap imap2
DHCP/BOOTP 67-68
SNMP snmp snmp-trap
NNTP nntp
NFS/AFS mount pcnfs bwnfs nfsd nfsd-status 7000-7009
X11 6000-6010
SSH 22
Gnutella 6346 6347 6348
Morpheus 1214
WinMX 6699 7730
DirectConnect
eDonkey 4661-4665
BitTorrent 6881-6999 6969
Messenger 1863 5000 5001 5190-5193
Note that the names come from /etc/services (or your system's
equivalent).
If you add protocols to /etc/services, you can refer to them by name on
the
-p parameter.
REMEMBER: You must define the list using the format illustrated in the
ntop
man page. Don't try to read /etc/services. It will fail.
The list changes over time as P2P protocols appear and disappear. Check
the
cvs and diff ntop.c (around line 550 in void addDefaultProtocols() if you
want the history.
Q. What about protocol XYZZY?
A. The analysis of protocols is very limited and unsophisticated. But,
theoretically, if it's there in plain text, we could report on it.
The more work you can do up front in identifying the protocol (e.g. port
#s,
header structure, etc.), the easier it would be to add.
Note that if you SPECIFY a value for -p, that's ALL ntop uses. The default
list is loaded ONLY if you do not specify the parameter.
The work to understand layer 3 protocols is coded in C - usually in
protocols.c, sessions.c or sometimes pbuf.c...
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg
Griessel
Sent: Wednesday, July 20, 2005 3:00 AM
To: [email protected]
Cc: [email protected]
Subject: Re: RE: [Ntop] protocols
I appreachiate the fact that it reads the local services file , however my
local services file does not contain entries for p2p protocols like edonkey
and kazaa , bitottent etc
where does ntop "identify" these from ?
-----Original Message-----
From: [EMAIL PROTECTED]
To: [email protected]
Date: Wed, 20 Jul 2005 17:14:11 +1000
Subject: RE: [Ntop] protocols
Hi - if you have a local services file, NTOP ignores the standard one.
Answer, include ALL protocols in your 'local' services file.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg
Griessel
Sent: 20 July 2005 4:14 PM
To: [email protected]
Subject: [Ntop] protocols
Hi
by default ntop detects protocols like edonkey , kazaa , http etc
if i specify a protocol file in the startup options then these "defaults"
dont seem to be recongnised - especially the p2p ones
where does ntop "store" these default protocols , can i modify the "default"
lists add , remove etc or at least list what is "default protocols" so i can
add it to my custom protocol.list file
Thanks
Greg
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
