I understand your problem, but not sure how to fix it. What is the Cisco device and what version of IOS? Maybe it has a bug or something? Do you have any mail filters, proxies, etc. that might be influencing this behavior?
Wait.... This is an internet connection - right? And you're doing NAT on the Cisco? Looks like netflow is reporting details on the NAT'd address innstead of the private/internal address. Not sure how to fix this - probably log a call with Cisco and see if they have any ideas. Another option would be to SPAN / Monitor the private connection of the Cisco GW and let nTop see the traffic directly instead of using netflow. Gary >>> [EMAIL PROTECTED] 3/8/2006 4:09:16 AM >>> Ehm, noone has an idea how to solve my problem? I've made a step more, maybe the problem is not on the ntop, or yes? Debugging the incoming flows and making the same example as described below I've seen this: Sending 1MB email from Local to Remote server: srcIP dstIP prot srcPort dstPort octets packets My PublicSmtpServ 6 2356 25 1333803 962 Outgoing is ok, one line, right monitored into ntop. Trying to receive the email via POP3 contacting from local IP to remote public Pop3 server: srcIP dstIP prot srcPort dstPort octets packets MyLocalIP PublicPop3Serv 6 2370 110 24698 613 PublicPop3Serv PublicGWIP 6 110 2370 1342124 935 The PublicGWIP is the Cisco device and sends the net-flow V5 packets too. It has of course a private IP too (for GW). The returning traffic is splitted into two flows. I don't know if it's normal or if I need to set a different configuration on Cisco device or on ntop, but in this way MyLocalIP has NOT the right amount of traffic associated to the pop3 service. I've received a mail with 1342124 octets, not with 24698, but ntop shows only the 24698 octets traffic. The rest of the traffic is assocuated to the GW, also I'm unable to monitor exactly who makes how much traffic. Ideas? Thank's! Simon > -----Messaggio originale----- > Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Per > conto di Simone Felici > Inviato: martedì 7 marzo 2006 11.38 > A: [email protected] > Oggetto: [Ntop] Ntop and netflow plugin question > > > Hello to all! > > First of all, nice work, it's a great software ;) > > Then, I've a little problem with ntop and netflow plugin. > This is my configuration: > > Ntop starts with: '/usr/local/bin/ntop -u ntop -d' > > NETFLOW PLUGIN CONFIGURATION > > Virtual NetFlow Interface Network Address: > 172.16.0.0/255.248.0.0 In this way I can correcty divide > between local network and remote network and it works. Local > computers are correctly shown, remote too. Netflow V5 packets > are coming from a Cisco Device on 172.18.18.1. This Cisco > router is a gateway too and so it has a public IP too. > > I switch to right NIC and I can see all my packets coming and > collecting. > > My problem is I cannot see the right amount of data coming > from remote address to local address. I explain it better > with an example: > > TOTAL RESET of counter, so it's clear ;) > I send from my pc an email (1MB attachment) to my own email > address. The mailserver is into remote network, it has a > public IP. On ntop I can see the right output on my pc details: > > Smtp -> 1/1.0MB > > It means my pc has sent an email trought the gateway to the > mailserver. The gateway has sent netflow data to ntop server > (other server located into local network) and this > information is correctly saved. Until here all OK! Now it's > time to download the mail! I make a pop3 session to the > public server to download my 1MB email and I download it > locally, all ok. Then I refresh my page on the ntop server > and here the new output: > > Smtp -> 1/1.0MB > Pop3 -> 1/25K > > The pop3 session is correctly registered, BUT the data > transfer is NOT right. I've downloaded a 1MB email, but only > some KB are logged. As "Last Client Peer" I can see our right > public mail server. I click to see the details about the > mailserver. Here under "Last Contacted Peers" I've found my > PC, also the pop3 connection is traced, but where is my 1MB > traffic? Under "TCP/UDP Service/Port Usage" I've found it, > but associated to the wrong host: > > Pop3 -> 1/1.1MB but associated to the gateway!! It means all > returning traffic is associated to the public IP of the > gateway. I remember the gateway has a private IP for local > network and a public IP for nat. In the details of the > gateway (on public IP) there is ONLY incoming traffic 100%, > no outgoing. > > Also, how can I configure to have the right incoming traffic (R->L)? > > Thank's a lot! > > Simon > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
