Apps that use dynamically negotiated ports such as ftp (active or passive), RPC, etc are difficult to account for - and IIRC nTop does not do it - it's "other" as you noticed.
There's one option (I know of), a flag/arg to tell nTop that all traffic gt 1023 is ftp traffic. This may or may not work for you depending on your environment. Check the man page for this info. If the ftp hosts are static, you may be able to define a "flow" - I *think* ntop still supports those. Generally they don't have much use but in your case perhaps they would help. HTH G ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Wed May 26 05:24:02 2010 Subject: [Ntop] Unable to catch FTP passive trafic Hello, I've a linux server that run as network bridge between firewall and LAN, I can capture all I/O from WAN and LAN. I want to get statistics for FTP trafic. Only passive mode is used. On the section "Global TCP/UDP Protocol Distribution" only FTP on port 21 is recognize as FTP protocol. The data is reference as "Other TCP/UDP-based Protocols". I use ntop-3.4-pre3 and libpcap 0.9.8-5 on debian lenny. I've launch ntop with only protocol "FTP=ftp|ftp-data" (I've tested with default values too). Ntop is running with "ntop" user and ip_conntrack_ftp module is loaded correctly. Is anyone has an idea why FTP passive data is not recognize as FTP trafic by ntop ??? Thanks! -- Erwan _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
