Hi Erwan, i think that a possible approach to your problem is tracking connection using a pf_ring filter that matches on "dst address and port" of your ftp server. So when such a connection is found you can add a new/dynamic rule that specifies, as endpoints, your server address with the assigned data port and the client address with his port.
regards -vp ----- Messaggio originale ----- Da: "Erwan Loaëc" <[email protected]> A: [email protected] Inviato: Giovedì, 27 maggio 2010 14:15:20 Oggetto: Re: [Ntop] Unable to catch FTP passive trafic Well... Actually it works on our production applications that uses FTP (passive mode). The problem is only visible when I've used Filezilla Client for testing ntop... That's strange. One day if I have time I will check where the difference can be. Thanks! -- Erwan Gary Gatten wrote: > Apps that use dynamically negotiated ports such as ftp (active or passive), > RPC, etc are difficult to account for - and IIRC nTop does not do it - it's > "other" as you noticed. > > There's one option (I know of), a flag/arg to tell nTop that all traffic gt > 1023 is ftp traffic. This may or may not work for you depending on your > environment. Check the man page for this info. If the ftp hosts are static, > you may be able to define a "flow" - I *think* ntop still supports those. > Generally they don't have much use but in your case perhaps they would help. > > HTH > > G > > > ----- Original Message ----- > From: [email protected] <[email protected]> > To: [email protected] <[email protected]> > Sent: Wed May 26 05:24:02 2010 > Subject: [Ntop] Unable to catch FTP passive trafic > > Hello, > > I've a linux server that run as network bridge between firewall and LAN, > I can capture all I/O from WAN and LAN. > > I want to get statistics for FTP trafic. Only passive mode is used. On > the section "Global TCP/UDP Protocol Distribution" only FTP on port 21 > is recognize as FTP protocol. The data is reference as "Other > TCP/UDP-based Protocols". > > I use ntop-3.4-pre3 and libpcap 0.9.8-5 on debian lenny. I've launch > ntop with only protocol "FTP=ftp|ftp-data" (I've tested with default > values too). > > Ntop is running with "ntop" user and ip_conntrack_ftp module is loaded > correctly. > > Is anyone has an idea why FTP passive data is not recognize as FTP > trafic by ntop ??? > > Thanks! > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
