Version of ntop? If it's anything recent, you have to use a flag to specify the filter...
try -B (or --filter-expression), as in ntop 29333 0.5 3.1 23460 7968 ttyp0 SN 17:24 0:00 \_ bin/ntop -u ntop -n -M -t 4 -u ntop -L -i eth1 -w 212.117.75.92 3001 -B "ether dst 00:02:B3:96:57:DD and ( host 141.1.1.1 or host www.cw.com )" -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christian Hammers Sent: Thursday, April 11, 2002 10:32 AM To: [EMAIL PROTECTED] Subject: [Ntop-dev] netflow exporting ignores BPF filter ?! Why does it do this? The following ps line shows that ntop should ignore everything except those two hosts and then also only those packages arriving on this ethernet interface: # ps faxuwwww ... ntop 29333 0.5 3.1 23460 7968 ttyp0 SN 17:24 0:00 \_ bin/ntop -u ntop -n -M -t 4 -u ntop -L -i eth1 -w 212.117.75.92 3001 ether dst 00:02:B3:96:57:DD and ( host 141.1.1.1 or host www.cw.com ) (www.cw.com is 204.71.140.70) But syslog says: ntop[29333]: 30) 212.117.YYY.XXX:80 <-> 192.35.VVV.WWW:1238 0/0 (proto=6) ntop[29333]: Exported 30 NetFlow's... ntop[29333]: 1) 192.35.VVV.WWW:1238 <-> 212.117.YYY.XXX:80 1/40 (proto=6) ntop[29333]: 2) 212.117.YYY.XXX:80 <-> 192.35.VVV.WWW:1238 0/0 (proto=6) ntop[29333]: 3) 192.35.VVV.WWW:1238 <-> 212.117.YYY.XXX:80 1/40 (proto=6) ntop[29333]: 4) 212.117.YYY.XXX:80 <-> 192.35.VVV.WWW:1238 0/0 (proto=6) ntop[29333]: 5) 192.35.VVV.WWW:1238 <-> 212.117.YYY.XXX:80 1/40 (proto=6) ntop[29333]: 6) 212.117.YYY.XXX:80 <-> 192.35.VVV.WWW:1238 0/0 (proto=6) ... It seems every connection on all protocols gets exported! bye, -christain- -- Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for Professionals Fax 0241/911879 WESTEND ist CISCO Systems Partner - Authorized Reseller _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop-dev _______________________________________________ Ntop-dev mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop-dev
