[Ntop] Problems with seperating local & remote hosts
Ggatten at waddell.com
Thu Jul 12 17:01:12 CEST 2007
Check the doc about trusting mac addresses - maybe a -m switch? OK,
hold on - I'll look it up....
#quote from man page#
-o | --no-mac
ntop is a hybrid layer 2/3 network monitor. That is, it uses both the
lower level, physical device address - the MAC (Media Access Control)
address - and the higher level, logical, tcp/ip address (the familiar
www.ntop.org or 126.96.36.199 address). This allows ntop to link the
logical addresses to a physical machine with multiple addresses (This
occurs with virtual hosts or additional addresses assigned to the
interface, etc.) to present consolidated reporting.
This parameter specifies that ntop should not trust the MAC addresses
but just use the IP addresses.
Normally, since the MAC address must be globally unique, the dual nature
of ntop is a benefit and provides far better information about the
network than is available via a pure layer 2 or pure layer 3 monitor.
Under certain circumstances - whenever ntop is started on an interface
where MAC addresses cannot be really trusted - you may require this
Situations which may require this option include port/VLAN mirror, some
cases with switches and spanning tree protocol, and (reportedly) some
specific models of Ethernet switches which re-write MAC addresses of the
packets they process. Normally, you discover that this option is
necessary when you observe that hosts seem to change their addresses or
information about different machines get lumped together.
Note that with this option, information which is dependent upon the MAC
addresses (non tcp/ip protocols like IPX) will not be collected nor
HTH - Gary
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Sent: Wednesday, July 11, 2007 9:37 PM
To: ntop at unipi.it
Subject: [Ntop] Problems with seperating local & remote hosts
I am very happy that there is a open-source tool as great
as ntop, however, i have some issues with seperating local
& remote hosts.
I have ntop running between a layer-3 switch that has
several network segments coming to it(172.16.1.x,
172.16.2.x, etc..) and a netscreen firewall.
When i don't set the "Local Subnet Address", all of the
hosts display individually which is what i want.
However, when i specify the Local Subnet as 172.16.0.0/16,
all of the local addresses get bundled into one ip address
which is the address of the netscreen firewall. I believe
ntop does this automatically, but seeing all local traffic
as one ip address is not very useful so is there any way
to disable this???
I think ntop gets confused because the netscreen forward
packets at layer 2. I think grouping things together like
this is by design but it ruins things for me as i cant get
individual host information.
If anyone has encountered this, please let me know how you
Easy + Joy + Powerful = Yahoo! Bookmarks x Toolbar
Ntop mailing list
Ntop at unipi.it
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
More information about the Ntop