|
Thanks for your reply. I’ll give a try. Anyway I don’t use
Cisco switches. Bye. Alessandro Da:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per conto di Burton Strauss Good stuff... the real key is to
understand what you want OUT of the data so you can make sure you collect the
RIGHT data. For many sites, they simply don't care about interior traffic
and a passive port on the external link(s) is enough. If you don't know
what you want, then you need to investigate commercial packet capture/logging
solutions - they archive all the GB of packets over a period of days or weeks
(depends on your budget for storage, naturally). While those will
provide you with the historical data and drill down, they come
at commercial prices (think 5-6 figures US$). Also, two other points 1. Many folks seem to focus on Cisco as if
that's the ONLY switches and routers in use. Other companies offer other
capabilities, so look in your docs for something called (span - Cisco), mirror,
traffic monitor, etc. 2. For 10/100 links the passive taps Chris
pointed you to work great. For faster links and for fibre, you will need
to purchase commercial units - these run $400 and UP... -----Burton From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Moore I'd say tap placement is the biggest
challenge for Ntop (or any packet analyser) implementation. There are a lot of
issues. As said, on a Cisco you can mirror an entire VLAN - but if that VLAN
spans multiple switches, you'll end up eating up tons of bandwidth on the
trunks between switches. And if you mirror a bunch of ports or a VLAN to one
port you miss things if the total traffic for all those ports exceeds the
bandwidth of that one port. For example, I had a request from my higher-ups
(regular readers of this list may recall how well we see eye-to-eye) to mirror
all the ports on 5 48-port gig switches to one Snort box recently.
Er.......there's a reason we bought 240 gig ports; don't you think there's a
chance we have more than 1 gig total traffic flowing across these switches from
time to time? My solution is to have multiple Ntop boxes
at strategic points on the network - router interfaces, firewall interfaces,
etc. I use a mixture of port mirrors and passive taps (http://www.snort.org/docs/tap/). Then
look at those individually. Somewhere in the neighborhood of 10, I think - I've
lost track. This works out rather well, actually. Yeah, I can't get a single
report of EVERYTHING going on in my network, but the ability to pinpoint what
is flowing across a particular link is quite usefull. I wouldn't have that sort
of granularity with a single big implementation. Plus it's worked out well for
the budget as each box doesn't have to be particularly strong - I've managed to
scrounge most of them from other people's cast-offs. $.02 Chris From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burton Strauss Read the article in docs/FAQ on switched
networks. Also read up on the -m | --local-hosts switch. But
off-hand, sounds like you need either to invest in a better switch or re-think
your layout. -----Burton From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colombo Alessandro Hello, I’m having problems capturing packets with my
Linux box. The LB runs Fedora Core 4 and it’s connected to
the main switch with a network card. It has another network card used to
capture packets. The switch permits to configure port mirrors, but one
per time: I mean, I can set a port to be mirrored to another, but not 10 ports
to be mirrored to the same port. I’m capturing traffic, but it seems all the
traffic is generated by the LB except some Rarp packets. Moreover, some traffic isn’t detected at all
(ex. MSN). Any advice? Thank you. Alessandro
|
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
