You don't mention if you're using netflow? If so there's a check box on config page that says "assume ftp for > 1024". ftp can use any port > 1024, so not sure how you'd "properly" track that unless ALL ftp servers ever used could be configured to use a specific range of ports - similar to what you can do with some RPC apps such as Outlook/Exchange. Even so, that still doesn't guarantee other apps won't use those ports.
Without netflow ntop must see ALL traffic so it can snoop the control session and see what high ports are negotiated for the data channel. With a hub this is easy, with a switch you may miss some of this depending on where ntop is "tapped" into the network and how the switch is configured to mirror the traffic to the ntop box. If you have ntop running on a box acting as a bridge I guess that should also work. Sniff your "ftp" traffic using tcpdump, snoop, ethereal, or whatever tool your *nix distro comes with. You should be able to see if it's legit ftp or not. Remember to capture to/from the host(s) in question as the ports are dynamic and you need to follow the flow based on ack numbers - better tools do this for you - I think ethereal does too. HTH Gary ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vaughan Wickham Sent: Monday, April 09, 2007 1:15 AM To: [email protected] Subject: [Ntop] Traffic classification - Emule seems to be classified as FTP Hello list, I am new to ntop, have recently installed ntop-3.2 on Debian 3.1 r5 i3, tried to install ntop-3.3rc1 but ran into errors with rrdtool that I notice a few others on the list are having as well, so decided would try 3.2 in the meantime and await developments. Fortunately ntop-3.2 installed fine and I have been testing on my home network. Have to say that I am really impressed with the web reporting - it's excellent. I have one minor issue with the reporting and that is that if I run Emule locally on my laptop (different host to ntop), the Emule traffic appears to be classified as FTP by ntop rather than eDonkey. I am using a custom protocol.list which I call with "-p" (Note: I have included line breaks in the protocol.list to make it easier to read - the real protocol.list has no line breaks): FTP=ftp|ftp-data|2111|2101|22000-22049|21000-21049, PROXY=3128|8080, HTTP=http|www|https, DNS=name|domain, Telnet=telnet|login, NBios-IP=netbios-ns|netbios-dgm|netbios-ssn, Mail=pop-2|pop-3|kpop|smtp|imap|imap2, SNMP=snmp|snmp-trap, NEWS=nntp, DHCP-BOOTP=67-68, NFS=mount|pcnfs|bwnfs|nfs|nfsd-status, X11=6000-6010, SSH=ssh, Gnutella=6346|6347|6348, Kazaa=1214, eDonkey=4661-4665|4672|6346|6347, Messenger=1863|5000|5001|5190-5193, VNC=5900-5902|5631|5632, ntop=3000, RDP=3388-3389 I believe ntop is classifying the Emule traffic as FTP because no eDonkey traffic is being reported by ntop and the amount of traffic being reported as FTP correlates with the Emule downloads. I have read some past threads that have commented on the difficulty of classifying P2P traffic, particularly when ports above 1024 are being used, however I thought that in this instance because I knew which ports were being used by Emule and updated the protocol.list accordingly that should have meant that ntop could recognise the Emule traffic. Also, have tried to figure out a way to "dig down" into the reported FTP traffic for the laptop to see if it is the Emule traffic or if there is something happening with my laptop that I don't about. But have not worked out how to do this. Would appreciate advice on how to troubleshoot. Thanks Vaughan =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
