Not sure why ntop is not reporting the traffic correctly. Overall it does a pretty good job. Maybe check the statistics and see if it's dropping a bunch of packets for some reason? Make sure the NIC is in promiscuous mode?
There are debug switches in ntop and various dump options so the ntop libpcap dumps everything it sees to a file in addition to reporting it to the ntop processes. This file can then be read by a protocol decoder of your choice. G ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vaughan Wickham Sent: Tuesday, April 10, 2007 5:39 AM To: [email protected] Subject: [Ntop] Traffic classification - Emule seems to be classified as FTP Hi Gary, > You don't mention if you're using netflow? No I am not using netflow. I have ntop connected via a hub (not switch) the gateway is also connected to the hub so that ntop can see all the traffic going in/out of the network. >Without netflow ntop must see ALL traffic so it can snoop the control session and see what high ports are negotiated for the data channel. With a hub this is easy, with a switch you may miss some > of this depending on where ntop is "tapped" into the network and how the switch is configured to mirror the traffic to the ntop box. If you have ntop running on a box acting as a bridge I guess > that should also work. I agree that ntop should see all the traffic, and since I know what ports Emule is using on my laptop and I have configured those ports in protocol.list, what reason could there be for ntop not reporting any eDonkey traffic? > Sniff your "ftp" traffic using tcpdump, snoop, ethereal, or whatever tool your *nix distro comes with. You should be able to see if it's legit ftp or not. Remember to capture to/from the host(s) in > question as the ports are dynamic and you need to follow the flow based on ack numbers - better tools do this for you - I think ethereal does too. I don't see how sniffing can work in this instance, I guess it could if the issue is on-going, then I could Sniff traffic in the future to try and understand whether there is FTP traffic on the network or not. But in this case I want to understand the historical data that ntop has already reported, to do that I need to review the detail behind the ntop FTP stats. I have an advantage here, I'm running ntop on my home network where there is (relatively speaking) very little traffic so I alrady understand what traffic is on the network, and I'm watching ntop to see if what it reports is correct. I know there is Emule traffic (which was not reported) and I know that there wasn't FTP traffic from the laptop for the time period in question - and as the data volumes match up - it is certain that in this instance ntop has reported emule traffic as FTP. Q1. Why did ntop do this? Q2. If I was using ntop on a larger network, where I didn't have the knowledge of the traffic flows as I do in this instance, how can I obtain lower-level detail about the traffic stats reported by ntop for a particular traffic type? VW =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
