[Ntop] Newb Question - adding protocols and filtering them

Tim Weid Tim.Weid at QCSI.com
Thu Mar 31 19:34:50 CEST 2005 

NOTE: To resolve protocol names to port numbers, they must be specified
in the system file used to list tcp/udp protocols
        and ports, which is typically /etc/services file. 

 

This is the bit that I am having trouble with.  XP stores its default
protocols in the c:\windows\system32\drivers\etc\services file.  The Man
page only has the last 2 levels of the directory structure in it.  I am
not sure what system file I am matching.  The Ntop one in C:\program
files\ntop-win32\drivers\etc\services or the windows one.  I have
recreated the file to look like this.  For the entries that were not in
the Ntop-win32\drivers\etc\services.list file. I have added them there
in the same format as the rest of the protocols

 

  FTP=ftp|ftp-data

  HTTP=http|www|https

  DNS=name|domain

  LDAP=ldap|ldaps

  LDAP-www=ldap-www-gw

  NBios-IP=netbios-ns|netbios-dgm|netbios-ssn

  Microsoft-DS=microsoft-ds

  Mail=pop-3|pop3|kpop|smtp|imap|imap4

  DHCP-BOOTP=67-68

  SNMP=snmp|snmp-trap

  NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status

  SSH=22

  Kerebos=kerberos-adm|kerberos

  RTSP=rtsp

  SQL=ms-sql-s|ms-sql-m

 Peer-to-Peer Protocols

  ----------------------

  Gnutella=6346|6347|6348

  Kazaa=1214

  WinMX=6699|7730

  eDonkey=4661-4665

 

 Instant Messenger

  -----------------

  Messenger=1863|5000|5001|5190-5193

 

 

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 10:16 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

 

Quoting from the ntop man page:

 

       -p | --protocols
        This parameter is used to specify the TCP/UDP protocols that
ntop will monitor. The format is <label>=<protocol list>  [,
        <label>=<protocol list>], where label is used to symbolically
identify the <protocol list>. The format of <protocol list>
        is <protocol>[|<protocol>], where <protocol> is either a valid
protocol specified inside  the  /etc/services  file  or  a
        numeric port range (e.g. 80, or 6000-6500).

 

        A simple example is
--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data", which reduces
the protocols displayed on the
        "IP" pages to three:

 

        Host                      Domain Data          HTTP   FTP
Other IP
        ns2.attbi.com             <flag>  954 63.9 %      0     0
954
        64.124.83.112.akamai.com  <flag>  240 16.1 %    240     0
0
        64.124.83.99.akamai.com   <flag>  240 16.1 %    240     0
0
        toolbarqueries.google.com <flag>   60 4.0 %      60     0
0

 

        If the <protocol list> is very long you may store it in a file
(for instance protocol.list).  To do so, specify the  file
        name instead of the <protocol list> on the command line.  e.g.
ntop -p protocol.list

 

        If the -p parameter is omitted the following default value is
used:

 

          FTP=ftp|ftp-data
          HTTP=http|www|https|3128     3128 is Squid, the HTTP cache
          DNS=name|domain
          Telnet=telnet|login
          NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
          Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
          DHCP-BOOTP=67-68
          SNMP=snmp|snmp-trap
          NNTP=nntp
          NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
          X11=6000-6010
          SSH=22

 

          Peer-to-Peer Protocols
          ----------------------
          Gnutella=6346|6347|6348
          Kazaa=1214
          WinMX=6699|7730
          DirectConnect=0      Dummy port as this is a pure P2P protocol
          eDonkey=4661-4665

 

          Instant Messenger
          -----------------
          Messenger=1863|5000|5001|5190-5193

 

        NOTE: To resolve protocol names to port numbers, they must be
specified in the system file used to list tcp/udp protocols
        and ports, which is typically /etc/services file.  You will have
to match the names in that file,  exactly.   Missing  or
        unspecified (non-standard) ports must be specified by number,
such as 3128 in our examples above.

 

        If you have a file named /etc/protocols, don't get confused by
it, as that's the Ethernet protocol numbers, which are not
        what you're looking for.

 

-----Burton

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Tim Weid
Sent: Thursday, March 31, 2005 9:16 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

Look... I am NOT a unix/open source person.  You are probably aware of
this by now.  I am sure there are many things in my world you would
struggle with.

 

We run a Windows/Cisco shop, I do IP phones, Call manager, Unity,
wireless, routers, Sniffer Distributed, switches, firewalls and
Exchange.  I am a little out of my element here.  Please be patient.

 

The documentation in the man ntop does not show me a list format.  It
shows me a command line format and then says if you want to put it in a
list type this.

 

There is no list example.  Also in matching the list to the services
file, which one?  There is one in the \program files\ntop-Win32\
directory and there is one in system32\drivers\etc.  

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 7:27 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

 

Use the RIGHT format, maybe?  It's not /etc/services, it's the -p format
as documented in man ntop.

 

-----Burton

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Tim Weid
Sent: Thursday, March 31, 2005 7:52 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

Ok got it to read by shutting the service down manually (there is only
one instance running) and then putting in the ntop /c -p qcsi.list

 

Now it is saying unknown protocols.  I thought it was a format problem
but the process I used to create the list was to copy the services.list
and edit and rename it to qcsi.list

 

Error is:  PROTO_INIT: unknown protocol 'ftp      21/tcp
'. It has been ignored.

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 6:43 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

 

Yes.

 

gdbm is a one-write OR multiple-reader db.  That message indicates that
another process has the database file open or it can't be created.  If
you look at docs/FAQ there are two choices:

 

 * Another ntop already running

 * Some sort of file system problem (non-existent directory,
permissions, etc.)

 

So either -P is wrong, OR another ntop is running.  Hence why I
suggested you check to make sure that the service is stopped before you
run interactively (ntop /c).

 

-----Burton

 

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Tim Weid
Sent: Thursday, March 31, 2005 7:30 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

Am I missing something? Or is this a bug and you can't add protocols
with the WIN32 version.  The /c switch should do the restart correct?

 

Tried to rename my existing file to qcsi.list, put it in the ntop-win32
directory and ran ntop /c -p qcsi.list and it get the same error.  Put
the file at the root of C: and tried ntop /c -p c:\qcsi.list and get the
error as well

 

***FATAL_ERROR***... open of C:\program files\ntop-win32/prefcache.db
failed: can't be writer

 

Possible solution: please use '-P <Directory>

 

 

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Wednesday, March 30, 2005 2:55 PM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

 

Yes - read the docs/FAQ file, it shows the values.

------Burton

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Tim Weid
Sent: Wednesday, March 30, 2005 9:09 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

Problem is there is no Protocols.list file in the Win32 version.  Is the
default list compiled in the app?

 

  _____  

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
jacengel
Sent: Wednesday, March 30, 2005 8:53 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them

 

rename the file to protocol.list (seems it does not accept  .txt ) and
run 

 Ntop /c -p c:\protocol.list  

Place the file protocol.list in  Ntopwin32  directory and run   Ntop /c
-p protocol.list

 

cheers

Jac

	-----Original Message-----
	From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On
Behalf Of Tim Weid
	Sent: woensdag 30 maart 2005 15:35
	To: ntop at Unipi.IT
	Subject: [Ntop] Newb Question - adding protocols and filtering
them

	Just bought NTOP and need to add some protocols.  I have tried
using the list but I get syntax errors.  I really need to track
streaming protocols, and MAPI clients.

	 

	I use:

	 

	Ntop -p c:\lists.txt 

	 

	And all I get is the error

	 

	What is the correct syntax and where is the default folder
location?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listgateway.unipi.it/pipermail/ntop/attachments/20050331/8f3dd1a2/attachment-0001.htm

More information about the Ntop mailing list