RE: [Ntop] Name resolution

[Gary Gatten]

>From the FAQ: (Sorry for alignment issues)

Q.  How do I see fully qualified names for all my hosts? Some are
netbios names!

A.  ntop doesn't SEND NetBIOS queries, it sniffs them off the traffic
already on the network.

There is only ONE case where ntop uses the NetBIOS names, which is if it
can't resolve them via DNS (both it's own queries and from sniffing
responses to other's queries off the network).

So, if you have a properly functioning DNS, you'll see DNS names. If
these are (for example) internal names, unknown to the DNS server,
you'll see NetBIOS names if they are available. Lastly, you'll get IP
addresses...

If you do have a DNS, and the name is resolved as part of the default
domain, you won't see a fully qualified name back from the DNS, so ntop
won't have that information.

So, on a real network you'll often get a mix of name resolution types:

    Host                           IP Address    MAC Address
Other Name(s)
    netnews.attbi.com               63.240.76.16
    tigger.homeportal.2wire.net     192.168.0.xx   00:D0:09:xx:xx:xx
    homeportal.homeportal.2wire.net 192.168.0.1    00:D0:9E:xx:xx:xx
    swallowtail                     192.168.0.XX   00:A0:CC:xx:xx:xx
SWTL DMN]
    12-xxx-xxx-xxx.client.attbi.com 12.xxx.xxx.xxx 00:D0:9E:xx:xx:xx

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Gary Gatten
Sent: Wednesday, October 03, 2007 10:27 AM
To: ntop@unipi.it
Subject: RE: [Ntop] Name resolution

The switches you have below have nothing to do with name resolution.  I
also don't think it will use netbios broadcasts, WINS, etc.  Could be
wrong, but don't think so.

Your name res in *nix is typically controlled by /etc/resolv.conf -
CentOs may be different.

nTop will use DNS lookups, DNS "snooping" (analyze DNS queries from
others), and I think (THINK) it will look further into certain protocols
and look at urls and stuff.  I've seen some public IP's resolve to a
name and that name is not in any DNS.

There is a doc somewhere - I'll see if I can find it again.

Gary


-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Doug Carter
Sent: Wednesday, October 03, 2007 9:35 AM
To: NTOP Mailing List
Subject: [Ntop] Name resolution


Hi all,

I've spent hours looking through the docs, FAQ and mailing list
archives,
and I still don't completely understand name resolution.

I'm running ntop 3.3 on CentOS 4.5. I have a 192.168.0.0/22 network,
with a mix of Windows PCs and Linux servers. I've tried running ntop
with and without these parameters, which doesn't have any effect:

  --no-mac
  --local-subnets 192.168.0.0/22

I've got a few Windows PCs in DNS, but they are not consistently named:

pc1
pc2.domain.com
pc3

For those PCs that are not in DNS, I see some entries like:

pc22 [NetBIOS]

But others are listed only by IP address:

192.168.0.22
192.168.0.45
192.168.0.104

I thought I understood that ntop will try to resolve IP addresses with
DNS first, then use netbios. For those PCs that show an IP address only,
I can resolve it with nbtstat on a Windows box, so I know the name is
available. Is there any way to config ntop to use specific dns/netbios
servers?

Can anyone help me with this? And/or point me to some docs that can
explain how to create a consistent configuration?

TIA,

Doug

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

========================================================================
===





"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

===========================================================================





"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop