> > On my system (Dual-Pentium 3, Linux, ntop compiled with tcpwrapper), the
> > current snapshot (01-12-17) doesn't work as expected:
> > First of all, some bugs which appear with all accuracy levels:
> > ntop doesn't show the "Global TCP/UDP Protocol Distribution" in Stats -
> > Traffic (see attached file)
> It doesn't happen to me. How did you start ntop? I feel that ntop
> crashes before to render the page (see below)
> > Not always but most of the time, ntop only show a nearly empty html page
> > when clicking on "Data Sent - TCP/UDP" or "Data Rcvd - TCP/UDP". The
> > last html line is:
> > <TH ><A HREF=/sortDataSentIP.html?98>Domain</A></TH><TH COLSPAN=2><A
> > HREF=/sortDataSentIP.html?-0>Sent <IMG SRC=arrow_down.gif
> > BORDER=0></A></TH>
> It seems that there's a bug, ntop crashes and the rest of the page is
> not rendered.(see below)
> > ntop often crashes when I want to have a closer look at a host and look
> > at a html file <host IP addr.>.html, for example 1.0.0.0.html.
> Same as before.
I found out why the above mentioned symptoms occured: It was the
parameter "-p <protocol file>". This file does well at least until
version 01-12-04. When I don't use "-p" this part does fine.
> > ntop doesn't use the "-m" command line switch as expected. If I define
> > my local net, which is connected through a router, via "-m <local net>"
> > only exactly one computer (I suppose the first ntop sees) appears in the
> > stats with all the traffic of the local net. Normally you want to see
> > all your local boxes.
> Please explain better and make an example.
OK.
LOCAL NET --------- FIREWALL -------- SWITCH ------- INTERNET
(X.Y.0.0/16) (A.B.C.D) |
| (Mirror Port)
|
NTOP BOX (A.B.C.E)
The local net is X.Y.0.0/16. If I start ntop without the "-m" parameter,
ntop
handles the few hosts in the subnet connected via the SWITCH (FIREWALL,
NTOP
BOX and some other) as local hosts and identifies them by their MAC
address and
all other hosts via their IP address, which is perfectly OK. Now I want
the
hosts of X.Y.0.0/16 to be treated as local so that they appear in the
statistics
as "local", that the stats "local->remote" and son on are correct and
that the
switch "-A 0" only puts these hosts of LOCAL NET (and perhaps the hosts
A.B.C.D,..., but that's not so important) in its hash. So I set up "-m
X.Y.0.0/16", but then ntop only has one host of the LOCAL NET in its
hash, it
says this host is multihomed and adds all traffic from the LOCAL NET (at
least I
think so) to this one host. I don't see any other host from LOCAL NET in
the
ntop pages.
What I want is to see the hosts as if there was no "-m..." and to get
the
statistics "local->remote traffic" and so on right.
I hope I explained myself clearly, but just ask if I have to explain
something
in more detail.
> > With accuracy level 0 ntop declares much traffic (half of the traffic)
> > as multicast, but it isn't multicast (see attached file).
> It doesn't show up here. Do you have a way to reproduce the problem
> (e.g. a pcap file I could use).
I'll send such a file directly to you, Luca.
Oh, and one thing: now ntop crashes (segmentation fault) when I stop it
(Strg-C), but only with "-A 0", not with "-A 1".
> > With accuracy level 1 ntop doesn't map the non-local hosts to the one
> > host 0.1.2.3, as expected, but it works as level 2 except protocol
> > handling.
> Please explain better and make an example.
I don't know what to say. I start ntop with "-A 1 -m <local net>", but
the hash
is filled with all kind of hosts from outside "local net".
> > My experiences show that the protocol handling is not the important
> > thing when ntop has to handle much traffic, the session handling and the
> > much computers are important. The protocol handling indeed doesn't take
> > much CPU time and provides a lot of information, the protocol handling
> > is in my opinion one of the most important features of ntop. I think it
> > would be better to let the protocol handling untouched and perhaps to
> > provide an accuracy level 3 without protocol handling, but I think this
> > isn't necessary.
> I agree but protocol handling takes time too that's why I have created 3
> levels.
Cheers,
Michael
--
Michael Weidel, University of Ulm
Computing Center Network Administration
EMAIL: [EMAIL PROTECTED]
WWW (PGP-KEY): http://www.weidel.org/
_______________________________________________
Ntop-dev mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop-dev
