Rafael,
First, your English is fine. Pretty good
for a guy out of practice, I’d say.
Second, make sure you’re running
version 3.2+ just to “get off on the right foot.
In your Ntop interface, under the “About”
menu menu you’ll find the man pages, FAQ, where to get help (here) etc.
The answer to your question is the “sticky
hosts” option, but that may or may not help you. With this option off
(default) Ntop behaves as you’ve seen, purging hosts after a period of
time of not seeing them. This, as it turns out, is actually a good thing in
most cases. If you are looking at an Internet link, you’ll end up with
thousands and thousands of hosts (if not millions when looking at a University’s
Internet link!). This will eat a ton of memory and disk space and give you
giant lists to search through.
What I do when using Ntop for
functionality like this is to go through it periodically during busy periods,
just casually scanning for “weird” stuff. Not very efficient, but the
alternative is a proxy server or some sort of software that will work with your
firewall to log this stuff (we’re playing with WebSense – a $$$$
commercial product.
Regards,
Chris
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rafael Barbosa
Sent: Monday, May 22, 2006 2:28 PM
To: [EMAIL PROTECTED]
Subject: [Ntop] Newbie questions
Hello there,
I just installed ntop in the laboratory at my university, I searched a lot
looking for a manual or something like it that could help me at the beginnig.
Everything I found was much superficial, outdated or both. hehe
I'd like to know if there is any documentation (a paper, a how-to, anything)
that could help me with the basics about how ntop works. Everything seems very
simple after ntop is running, it collects lots of data and show many
spreeadsheets and graphs. But I'd like to know how it works, and I do have some
doubts.
One thing I want to do, and I don' know if its possible, is to use the
information that ntop gather to figure out which web-sites the people here at
the lab is acessing (and then maybe block some of them). For that I redirect
the port of our gateway to the machine that's running ntop. Then I saw the
statistics at IP Summary -> Traffic, to see the host (in this case, servers)
that were acessed using http. Everything was fine untill I realize that one of
the hosts vanished, it seems that ntop only show a list of a few last (maybe in
the last hour, or something) acessed hosts, is that correct?? If so, there are
anyway that I can have this information using ntop? Maybe a log...
If there are many english mistakes, I'm really sorry, I'm brazillian and I
don't pratice that much...
Thanks for the attention,
Rafael Barbosa
**********************************************************************
Confidential/Proprietary Note
The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. Thank you.
Guardian Mtg Documents, Inc.
225 Union Boulevard, Suite 200
Lakewood, CO 80228.
**********************************************************************
|
|
