Check the doc about trusting mac addresses - maybe a -m switch? OK, hold on - I'll look it up....
#quote from man page# -o | --no-mac ntop is a hybrid layer 2/3 network monitor. That is, it uses both the lower level, physical device address - the MAC (Media Access Control) address - and the higher level, logical, tcp/ip address (the familiar www.ntop.org or 131.114.21.9 address). This allows ntop to link the logical addresses to a physical machine with multiple addresses (This occurs with virtual hosts or additional addresses assigned to the interface, etc.) to present consolidated reporting. This parameter specifies that ntop should not trust the MAC addresses but just use the IP addresses. Normally, since the MAC address must be globally unique, the dual nature of ntop is a benefit and provides far better information about the network than is available via a pure layer 2 or pure layer 3 monitor. Under certain circumstances - whenever ntop is started on an interface where MAC addresses cannot be really trusted - you may require this option. Situations which may require this option include port/VLAN mirror, some cases with switches and spanning tree protocol, and (reportedly) some specific models of Ethernet switches which re-write MAC addresses of the packets they process. Normally, you discover that this option is necessary when you observe that hosts seem to change their addresses or information about different machines get lumped together. Note that with this option, information which is dependent upon the MAC addresses (non tcp/ip protocols like IPX) will not be collected nor displayed. HTH - Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ???*????? Sent: Wednesday, July 11, 2007 9:37 PM To: [email protected] Subject: [Ntop] Problems with seperating local & remote hosts I am very happy that there is a open-source tool as great as ntop, however, i have some issues with seperating local & remote hosts. I have ntop running between a layer-3 switch that has several network segments coming to it(172.16.1.x, 172.16.2.x, etc..) and a netscreen firewall. When i don't set the "Local Subnet Address", all of the hosts display individually which is what i want. However, when i specify the Local Subnet as 172.16.0.0/16, all of the local addresses get bundled into one ip address which is the address of the netscreen firewall. I believe ntop does this automatically, but seeing all local traffic as one ip address is not very useful so is there any way to disable this??? I think ntop gets confused because the netscreen forward packets at layer 2. I think grouping things together like this is by design but it ruins things for me as i cant get individual host information. If anyone has encountered this, please let me know how you solved it. Thanks -------------------------------------- Easy + Joy + Powerful = Yahoo! Bookmarks x Toolbar http://pr.mail.yahoo.co.jp/toolbar/ _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
