Make sure that your ntop host has the same DNS resolution (resolv.conf) as the workstations, i.e. it's pointing at the dynamic resolver and not at your ISP or other central server.
Most DNS resolution in ntop comes from sniffing other people's DNS packets - ntop reads the packet anyway, it's not much more work to save off the query and result in the ntop cache. You might be able to create a script that loads the cache by doing the nslookup every so often. -----Burton -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Rob Yamry Sent: Friday, April 09, 2010 10:34 AM To: [email protected] Subject: Re: [Ntop] All traffic reporting under one client IP address That did the trick. Thanks! I have one more question: We have Dynamic DNS set up on our network so all of the workstations have a dns record. Is there a way to have ntop resolve the IPs to their DNS name? It looks like maybe 5% of the hosts show as the DNS name right now. Id be really nice to have that show up all the time so we can pinpoint workstations very quickly, rather than have to use nslookup. Thanks! [email protected] writes: >Try "-o" to your startup args. > >----- Original Message ----- >From: [email protected] <[email protected]> >To: [email protected] <[email protected]> >Sent: Fri Apr 09 09:13:23 2010 >Subject: [Ntop] All traffic reporting under one client IP address > >I have ntop working good now. Its reporting 3300+ active hosts on the network right now. My problem now is that when I go into All Protocols --> Traffic, it appears that all the traffic is being reported under one local IP address - which is just a >client workstation. There are other local IPs listed in there, but they are mostly servers and there is only a few listed. Even when that workstation is turned off it appears to still be pulling down data. Whats weird is that if I restart ntop, ntop >picks up a different client IP and it reports all the traffic under that one. It appears that the first client IP it picks up is the one that is uses to report all the traffic under? This doesnt seem to be PAT related? > >Can anybody help me fix this so that all my clients show up? We have our internet bandwidth maxxed out for the last couple of days and we need to monitor this traffic asap. > >Im running 3.4-Pre3 on SLES 11. Im starting ntop with the command: ntop -d -L -u ntop -i eth1 -m 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -w 3000 -W 3333 > >Also, we have a cisco asa 5510, which doesnt support port spanning (mirroring) so I have the port that the ASA plugs into our core switch (cisco 3750) mirrored and which is what I use for ntop. > >Thanks! > >_______________________________________________ >Ntop mailing list >[email protected] >http://listgateway.unipi.it/mailman/listinfo/ntop >_______________________________________________ >Ntop mailing list >[email protected] >http://listgateway.unipi.it/mailman/listinfo/ntop Rob Yamry Network Administrator Kimberly Area School District Phone: 920.788.7905 x 2019 Direct: 920.423.4158 [email protected] "Pain is temporary. Quitting is forever." - Lance Armstrong _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
