Hello All,
I installed ntop in my job to just detect broadcasts storms in my network. I
was satisfied until yesterday one computer with some trouble ( i didn't locate
it ) started to send almost 11.000 pps of ARP Requests ( broadcast ). I
sniffered with tcpdump to discover the source and tried to find the mac in
ntop. I didn't find the ip address from source, so i went to ntop, clicked in
"All protocols" and in Throughput, and I saw that the biggest user was using
100 pps ( i saw in Packets-Current). So, the NTOP didn't help me to detect the
anomalous traffic ( i now that 100 pps in broadcast is a lot, but it's not the
same of 11.000 pps ).
So, I use Debian Etch, run the ntop with this line:
/usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --skip-version-check -a
/var/log/ntop/access.log -i eth1.14 -p /etc/ntop/protocol.list -O /var/log/ntop
and this eth1 is a tagged vlan (14) port without IP.
I read almost all documentation in ntop.org, i saw ntop does a lot more things
that i could possible imagine, but didn't find nothing specific about broadcast
storms.
So, what detail I forgot ? Any help?
Thanks a lot
Jeronimo
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
