Hi Gary,
You don't mention if you're using netflow?
No I am not using netflow. I have ntop connected via a hub (not switch) the gateway is also connected to the hub so that ntop can see all the traffic going in/out of the network.
Without netflow ntop must see ALL traffic so it can snoop the control
session and see what high ports are negotiated for the data channel. With a hub this is easy, with a switch you may miss some
of this depending on where ntop is "tapped" into the network and how the
switch is configured to mirror the traffic to the ntop box. If you have ntop running on a box acting as a bridge I guess
that should also work.
I agree that ntop should see all the traffic, and since I know what ports Emule is using on my laptop and I have configured those ports in protocol.list, what reason could there be for ntop not reporting any eDonkey traffic?
Sniff your "ftp" traffic using tcpdump, snoop, ethereal, or whatever tool
your *nix distro comes with. You should be able to see if it's legit ftp or not. Remember to capture to/from the host(s) in
question as the ports are dynamic and you need to follow the flow based on
ack numbers – better tools do this for you – I think ethereal does too. I don't see how sniffing can work in this instance, I guess it could if the issue is on-going, then I could Sniff traffic in the future to try and understand whether there is FTP traffic on the network or not. But in this case I want to understand the historical data that ntop has already reported, to do that I need to review the detail behind the ntop FTP stats. I have an advantage here, I'm running ntop on my home network where there is (relatively speaking) very little traffic so I alrady understand what traffic is on the network, and I'm watching ntop to see if what it reports is correct. I know there is Emule traffic (which was not reported) and I know that there wasn't FTP traffic from the laptop for the time period in question - and as the data volumes match up - it is certain that in this instance ntop has reported emule traffic as FTP. Q1. Why did ntop do this? Q2. If I was using ntop on a larger network, where I didn't have the knowledge of the traffic flows as I do in this instance, how can I obtain lower-level detail about the traffic stats reported by ntop for a particular traffic type? VW
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
