RE: [Ntop] Packet Capture

[Chris Moore]

I'd say tap placement is the biggest challenge for Ntop (or any packet analyser) implementation. There are a lot of issues. As said, on a Cisco you can mirror an entire VLAN - but if that VLAN spans multiple switches, you'll end up eating up tons of bandwidth on the trunks between switches. And if you mirror a bunch of ports or a VLAN to one port you miss things if the total traffic for all those ports exceeds the bandwidth of that one port. For example, I had a request from my higher-ups (regular readers of this list may recall how well we see eye-to-eye) to mirror all the ports on 5 48-port gig switches to one Snort box recently. Er.......there's a reason we bought 240 gig ports; don't you think there's a chance we have more than 1 gig total traffic flowing across these switches from time to time?   My solution is to have multiple Ntop boxes at strategic points on the network - router interfaces, firewall interfaces, etc. I use a mixture of port mirrors and passive taps (http://www.snort.org/docs/tap/). Then look at those individually. Somewhere in the neighborhood of 10, I think - I've lost track. This works out rather well, actually. Yeah, I can't get a single report of EVERYTHING going on in my network, but the ability to pinpoint what is flowing across a particular link is quite usefull. I wouldn't have that sort of granularity with a single big implementation. Plus it's worked out well for the budget as each box doesn't have to be particularly strong - I've managed to scrounge most of them from other people's cast-offs.   $.02   Chris From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss Sent: Thursday, December 29, 2005 1:47 PM To: ntop@Unipi.IT Subject: RE: [Ntop] Packet Capture Read the article in docs/FAQ on switched networks.  Also read up on the -m | --local-hosts switch.  But off-hand, sounds like you need either to invest in a better switch or re-think your layout.   -----Burton   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colombo Alessandro Sent: Thursday, December 29, 2005 10:20 AM To: Ntop@Unipi.IT Subject: [Ntop] Packet Capture Hello, I’m having problems capturing packets with my Linux box. The LB runs Fedora Core 4 and it’s connected to the main switch with a network card. It has another network card used to capture packets. The switch permits to configure port mirrors, but one per time: I mean, I can set a port to be mirrored to another, but not 10 ports to be mirrored to the same port. I’m capturing traffic, but it seems all the traffic is generated by the LB except some Rarp packets. Moreover, some traffic isn’t detected at all (ex. MSN). Any advice? Thank you.   Alessandro   ********************************************************************** Confidential/Proprietary Note The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you. Guardian Mtg Documents, Inc. 225 Union Boulevard, Suite 200 Lakewood, CO 80228. **********************************************************************

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop