I switched to v5 for awhile, no noticable differences anywhere. ________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Monday, May 05, 2008 11:27 AM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote I read somewhere the v9 flows are supported, but just converted to v5 flows before processing - so not sure if there's much benefit to using v9. Can't remember where I read this or if it's changed since then. I tried v9 flows a couple times and had various issues so went back to v5. Maybe give that a try? G ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Baugher Sent: Monday, May 05, 2008 11:23 AM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote No, I'm using netflow v9. Jason ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Monday, May 05, 2008 11:16 AM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote Is this just with cat 6500's and netflow? I'm using netflow on a 4510 with netflow card with no problems - well, guess I'd better double check now! Also using netflow from pure routers with no problems. Jason, I thought you were doing SPAN? Is this case or netflow as well? Gary ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Baugher Sent: Monday, May 05, 2008 9:06 AM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote I'm glad to hear it's not just me. I turned on the ADDRESS_DEBUG for awhile, and it appears that it IS correctly identifying remote vs pseudolocal. I dug through the code for awhile, and everywhere I looked things looked right... so I must have not looked far enough yet. Jason ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael P. Donnelly Sent: Monday, May 05, 2008 7:58 AM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote Same here .. opened a (now dead) thread a few weeks ago.. Local/Remote just doesnt work for me .. gary took a stab at it at that time .. -----Original Message----- From: [EMAIL PROTECTED] on behalf of Yves CLAESSENS Sent: Mon 5/5/2008 8:19 AM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote I have exactly the same problem. I'm using Netflow from a Catalyst 6500 and I configured Ntop with -m and 2 IP ranges. Many more addresses appear as Local than intended. Yves Claessens ----------------------------- Message: 3 Date: Wed, 30 Apr 2008 16:58:47 -0500 From: "Jason Baugher" <[EMAIL PROTECTED]> Subject: Re: [Ntop] NTOP and Local vs Remote To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" I've tried some of these now.... I upped the MAX_SUBNET_HOSTS to a very high number, and turned on the address debugging. It appears to be correctly classifying each IP as remote or psuedo-local in the debugging, but later in the web interface it shows them in the wrong area. I'll keep working with it tonight, but so far no good. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Wednesday, April 30, 2008 2:44 PM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote That's really weird - never heard of this before; well except in cases where the network id's and/or mask bits were wrong. Properly configured I've never heard of this not working. Depending on your masks nTop MAY be truncating the network size to something smaller than your mask is specifying and MAYBE confusing the local/remote thing. Check out all the options in "globals-defines.h" - you'll see several entries such as "MAX_SUBNET_HOSTS", "ADDRESS_DEBUG", "MAX_NUM_NETWORKS". This file has a BUNCH of tweaks in it - but you have to recompile after changes :-( Not sure if this will help or not, but don't know what else to do. G ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Baugher Sent: Wednesday, April 30, 2008 2:18 PM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote I checked, and it understands my -m and -o correctly. I have 5 CIDR's listed, in x.x.x.x/bits format, separated by commas, and it appears to be happy with them. Remote/local is also confused in other areas, such as All Protocols->Traffic. If I select Hosts: Remote Only, I see 9 IP's. Local Only, I see local and many that should be remote. Jason ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Wednesday, April 30, 2008 1:21 PM To: [email protected] Subject: Re: [Ntop] NTOP and Local vs Remote -m and -o are required for this and usually work without question. Check your "About->Show Config" and look at the "Resolved To..." row; make sure your flags (-m , -o, etc.) are actually being recognized. Does the remote/local traffic appear to be distinguished correctly on other views/reports? Or, does it appear broken everywhere? Gary ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Baugher Sent: Wednesday, April 30, 2008 1:02 PM To: [email protected] Subject: [Ntop] NTOP and Local vs Remote I'm using NTOP to gather NetFlow's from 2 border routers, Cisco 7206VXR's, with around 50Mbps in/out traffic on each. I've used the -m flag to specify all my internal IP's (our CIDR blocks), as I want "Local to Local" to be traffic from one of our customers to another, whereas "Local to Remote" and "Remote to Local" is traffic from/to one of our customers from someone out on the Internet. However, when I go to IP->Traffic Directions->Local to Local, I see hosts that are definitely supposed to be Remote. I've seen references in the archives to the -o flag - I've tried that with no change. Thanks, Jason Baugher [EMAIL PROTECTED] "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://listgateway.unipi.it/pipermail/ntop/attachments/20080430/667fcbb4 /attachment-0001.html ------------------------------ Message: 4 Date: Thu, 1 May 2008 08:38:57 -0500 From: "Adamiec, Larry" <[EMAIL PROTECTED]> Subject: Re: [Ntop] libcap library To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" OK. I'll try libpcap. I found the reference to libcap on page 5 of the NTop overview document on ntop.org. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Wednesday, April 30, 2008 16:32 To: [email protected] Subject: Re: [Ntop] libcap library Libcap? Maybe a typo - every OSS app I use for packet capture uses libpcap; ntop, Ethereal, etc, etc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adamiec, Larry Sent: Wednesday, April 30, 2008 4:28 PM To: [email protected] Subject: [Ntop] libcap library I am trying to install ntop on a Solaris 10 sever. The docs says I need to install libcap first. I have found references to libpcap but not libcap. Does anyone know where I can get libcap? Larry Adamiec Kent-College of Law _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop ------------------------------ _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop End of Ntop Digest, Vol 48, Issue 1 *********************************** "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
