[Ntop] Newb Question - adding protocols and filtering them
Burton Strauss
Burton at ntopSupport.com
Thu Mar 31 23:37:57 CEST 2005
I think it's /d to delete, not /r, but I could be wrong - don't use Win32
ntop.
I'm not sure if setting -p via the web page works for a file.
Best bet is to remove it and do the reinstall with the new -p <filename>
parameter.
-----Burton
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: Thursday, March 31, 2005 2:52 PM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Ok modified my file to this.
FTP=20|21
HTTP=80|443
Mail=25
RPC=135
IMAP=143
DNS=53
DHCP-BOOTP=67-68
LDAP=389|636
Kerebos=749|750
NBios-IP=137|138|139
Microsoft-DS=445
SNMP=161|162
Print=512
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
SSH=22
RTSP=554
SQL=1433|1434
Peer-to-Peer Protocols
----------------------
Gnutella=6346|6347|6348
Kazaa=1214
WinMX=6699|7730
DirectConnect=0 Dummy port as this is a pure P2P protocol
eDonkey=4661-4665
Instant Messenger
-----------------
Messenger=1863|5000|5001|5190-5193
IRC=149
The database will accept the changes, as far as I can see in the cmd window.
Tried the ntop /r to uninstall the service then ntop /c -p qcsi.list to
reinstall the service and I still don't see my protocol list. I even went
to the admin configuration page and added the QCSI.list to the startup
parameters. Still nothing
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 10:41 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
If it can't match the names it ignores them, so just use the #s - like the
ssh entry.
-----Burton
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: Thursday, March 31, 2005 11:35 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
NOTE: To resolve protocol names to port numbers, they must be specified in
the system file used to list tcp/udp protocols
and ports, which is typically /etc/services file.
This is the bit that I am having trouble with. XP stores its default
protocols in the c:\windows\system32\drivers\etc\services file. The Man
page only has the last 2 levels of the directory structure in it. I am not
sure what system file I am matching. The Ntop one in C:\program
files\ntop-win32\drivers\etc\services or the windows one. I have recreated
the file to look like this. For the entries that were not in the
Ntop-win32\drivers\etc\services.list file. I have added them there in the
same format as the rest of the protocols
FTP=ftp|ftp-data
HTTP=http|www|https
DNS=name|domain
LDAP=ldap|ldaps
LDAP-www=ldap-www-gw
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
Microsoft-DS=microsoft-ds
Mail=pop-3|pop3|kpop|smtp|imap|imap4
DHCP-BOOTP=67-68
SNMP=snmp|snmp-trap
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
SSH=22
Kerebos=kerberos-adm|kerberos
RTSP=rtsp
SQL=ms-sql-s|ms-sql-m
Peer-to-Peer Protocols
----------------------
Gnutella=6346|6347|6348
Kazaa=1214
WinMX=6699|7730
eDonkey=4661-4665
Instant Messenger
-----------------
Messenger=1863|5000|5001|5190-5193
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 10:16 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Quoting from the ntop man page:
-p | --protocols
This parameter is used to specify the TCP/UDP protocols that ntop
will monitor. The format is <label>=<protocol list> [,
<label>=<protocol list>], where label is used to symbolically
identify the <protocol list>. The format of <protocol list>
is <protocol>[|<protocol>], where <protocol> is either a valid
protocol specified inside the /etc/services file or a
numeric port range (e.g. 80, or 6000-6500).
A simple example is
--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data", which reduces the
protocols displayed on the
"IP" pages to three:
Host Domain Data HTTP FTP Other IP
ns2.attbi.com <flag> 954 63.9 % 0 0 954
64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
If the <protocol list> is very long you may store it in a file (for
instance protocol.list). To do so, specify the file
name instead of the <protocol list> on the command line. e.g. ntop
-p protocol.list
If the -p parameter is omitted the following default value is used:
FTP=ftp|ftp-data
HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
DNS=name|domain
Telnet=telnet|login
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
DHCP-BOOTP=67-68
SNMP=snmp|snmp-trap
NNTP=nntp
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
X11=6000-6010
SSH=22
Peer-to-Peer Protocols
----------------------
Gnutella=6346|6347|6348
Kazaa=1214
WinMX=6699|7730
DirectConnect=0 Dummy port as this is a pure P2P protocol
eDonkey=4661-4665
Instant Messenger
-----------------
Messenger=1863|5000|5001|5190-5193
NOTE: To resolve protocol names to port numbers, they must be
specified in the system file used to list tcp/udp protocols
and ports, which is typically /etc/services file. You will have to
match the names in that file, exactly. Missing or
unspecified (non-standard) ports must be specified by number, such
as 3128 in our examples above.
If you have a file named /etc/protocols, don't get confused by it,
as that's the Ethernet protocol numbers, which are not
what you're looking for.
-----Burton
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: Thursday, March 31, 2005 9:16 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Look. I am NOT a unix/open source person. You are probably aware of this by
now. I am sure there are many things in my world you would struggle with.
We run a Windows/Cisco shop, I do IP phones, Call manager, Unity, wireless,
routers, Sniffer Distributed, switches, firewalls and Exchange. I am a
little out of my element here. Please be patient.
The documentation in the man ntop does not show me a list format. It shows
me a command line format and then says if you want to put it in a list type
this.
There is no list example. Also in matching the list to the services file,
which one? There is one in the \program files\ntop-Win32\ directory and
there is one in system32\drivers\etc.
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 7:27 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Use the RIGHT format, maybe? It's not /etc/services, it's the -p format as
documented in man ntop.
-----Burton
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: Thursday, March 31, 2005 7:52 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Ok got it to read by shutting the service down manually (there is only one
instance running) and then putting in the ntop /c -p qcsi.list
Now it is saying unknown protocols. I thought it was a format problem but
the process I used to create the list was to copy the services.list and edit
and rename it to qcsi.list
Error is: PROTO_INIT: unknown protocol 'ftp 21/tcp
'. It has been ignored.
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Thursday, March 31, 2005 6:43 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Yes.
gdbm is a one-write OR multiple-reader db. That message indicates that
another process has the database file open or it can't be created. If you
look at docs/FAQ there are two choices:
* Another ntop already running
* Some sort of file system problem (non-existent directory, permissions,
etc.)
So either -P is wrong, OR another ntop is running. Hence why I suggested
you check to make sure that the service is stopped before you run
interactively (ntop /c).
-----Burton
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: Thursday, March 31, 2005 7:30 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Am I missing something? Or is this a bug and you can't add protocols with
the WIN32 version. The /c switch should do the restart correct?
Tried to rename my existing file to qcsi.list, put it in the ntop-win32
directory and ran ntop /c -p qcsi.list and it get the same error. Put the
file at the root of C: and tried ntop /c -p c:\qcsi.list and get the error
as well
***FATAL_ERROR***. open of C:\program files\ntop-win32/prefcache.db failed:
can't be writer
Possible solution: please use '-P <Directory>
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Burton Strauss
Sent: Wednesday, March 30, 2005 2:55 PM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Yes - read the docs/FAQ file, it shows the values.
------Burton
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: Wednesday, March 30, 2005 9:09 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
Problem is there is no Protocols.list file in the Win32 version. Is the
default list compiled in the app?
_____
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
jacengel
Sent: Wednesday, March 30, 2005 8:53 AM
To: ntop at Unipi.IT
Subject: RE: [Ntop] Newb Question - adding protocols and filtering them
rename the file to protocol.list (seems it does not accept .txt ) and run
Ntop /c -p c:\protocol.list
Place the file protocol.list in Ntopwin32 directory and run Ntop /c -p
protocol.list
cheers
Jac
-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of Tim
Weid
Sent: woensdag 30 maart 2005 15:35
To: ntop at Unipi.IT
Subject: [Ntop] Newb Question - adding protocols and filtering them
Just bought NTOP and need to add some protocols. I have tried using the
list but I get syntax errors. I really need to track streaming protocols,
and MAPI clients.
I use:
Ntop -p c:\lists.txt
And all I get is the error
What is the correct syntax and where is the default folder location?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listgateway.unipi.it/pipermail/ntop/attachments/20050331/36f82be2/attachment-0001.htm
More information about the Ntop
mailing list