[Ntop] All traffic reporting under one client IP address
ryamry at kimberly.k12.wi.us
Fri Apr 9 16:13:23 CEST 2010
I have ntop working good now. Its reporting 3300+ active hosts on the network right now. My problem now is that when I go into All Protocols --> Traffic, it appears that all the traffic is being reported under one local IP address - which is just a
client workstation. There are other local IPs listed in there, but they are mostly servers and there is only a few listed. Even when that workstation is turned off it appears to still be pulling down data. Whats weird is that if I restart ntop, ntop
picks up a different client IP and it reports all the traffic under that one. It appears that the first client IP it picks up is the one that is uses to report all the traffic under? This doesnt seem to be PAT related?
Can anybody help me fix this so that all my clients show up? We have our internet bandwidth maxxed out for the last couple of days and we need to monitor this traffic asap.
Im running 3.4-Pre3 on SLES 11. Im starting ntop with the command: ntop -d -L -u ntop -i eth1 -m 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -w 3000 -W 3333
Also, we have a cisco asa 5510, which doesnt support port spanning (mirroring) so I have the port that the ASA plugs into our core switch (cisco 3750) mirrored and which is what I use for ntop.
More information about the Ntop