If you check the article in docs/FAQ, you will see that ntop uses the lower port # of the packet for classification.
Remember, part of the tcp/ip protocol involves a random port # - say you connect to x.y.com on port 80 - the return path uses a random port #. This works great when one of the port #s (the lower #) is obvious. But many protocols use two random port #s or have a high # as their 'well known #', and so ntop CAN be confused. In some cases we do a deeper analysis on the packets (e.g. ftp), but not all. Port #s are just #s. You CAN use a port for anything, as long as the two sides (sender and receiver) agree. That can lead to unexpected classification. Some protocols do this deliberately, i.e. AOL uses a variety of port #s if the default, 5190, is blocked for any reason. And so on. This is usually a small amount of traffic. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vivek Kedia Sent: Wednesday, January 04, 2006 10:45 PM To: [email protected] Subject: Re: [Ntop] Why edonkey and Kazaa Traffic is coming Hi All, I am using NTOP to moniter around 50 PCs in my office and some of the days i see edonkey and Kazaa traffic on few of the workstations even though dont have any file sharing software installed on them , what can be the reason that ntop is seeing some of the data trf. as being from kazaa / edonkey, can it be a virus / ntop misreading the data transfer. since the workstations keep on changing so i dont think that its a virus , maybe ntop? regards vivek __________________________________________ Yahoo! DSL - Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
