RE: [Ntop] 85% of Other Tcp/Udp traffic - is there a way to tellntophow to decode it?

Wed, 20 Jun 2007 21:20:14 -0700 

Hi Vaughan,
 
the problem is, that ntop would have to have seen the connection between
two hosts be established, for it to determine which is the port that
should be used for classification (e.g. the original destination port).
 
I think this has been raised before, but I can't recall where it got to.
 
There's also the issue of protocols that don't used fixed ports, e.g.
Microsoft Exchange, so unless you write a protocol decoder/handler,
you'll never be 100% accurate (and this isn't an option if you're using
[s|net]flow feeds).
 
I think you've also miss-interpreted what Burton said. Ntop does use
your protocols.list file, it's just that when one of the ports is <
1024, it must be the port that defines the protocol, since outbound
connections are on ports >1024.
 
Hope that helps.
 
Later'ish
Craig
 



________________________________

        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Vaughan Wickham
        Sent: Thursday, June 21, 2007 3:45 PM
        To: [email protected]; [EMAIL PROTECTED]
        Subject: Re: [Ntop] 85% of Other Tcp/Udp traffic - is there a
way to tellntophow to decode it?
        
        
        Hi Burton,
        
        
        On 6/18/07, Burton Strauss III <[EMAIL PROTECTED]> wrote: 

                There is one other trap here - ntop uses the lower #ed
port to figure out traffic.  This works ok for protocols which use
reserved ports, such as 389 for ldap, since the tcp/ip session is from
389 <-> >1024.

                Once you get into protocols which use high numbered
ports, this will mis-classify.

        I have long wondered why updating protocol.list would not always
classify traffic correctly, finally an explanation.
        
        Do you think it would be simple to change ntop so that it used
protocol.list for the classification of all traffic regardless of
whether the port is < 1024 or not?
        
        Or if there are some potential implications to that change,
might it be possible to add a switch so that optionally ntop could
classify all traffic based on the contents of protocol.list rather than
just traffic with ports < 1024?
        
        Vaughan
        


_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to