Looks good. Do you have netflow enabled on at least two interfaces on your router? Or if the ios is new enough you can enable flow exports with "ingress" and "egress" keywords on the same interface. I'm thinking maybe your ntop isn't receiving flow records with remote addresses?
----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Thu Aug 05 09:36:16 2010 Subject: Re: [Ntop] Ntop 4.0 local vs remote networks in netflow plug-in a.a.a.0/255.255.255.0 is assigned as netflow interface Ntop launched with -m a.a.a.0/24,b.b.b.0/24 -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Gary Gatten Sent: Thursday, August 05, 2010 17:05 To: '[email protected]' Subject: Re: [Ntop] Ntop 4.0 local vs remote networks in netflow plug-in What address did you assign to the netflow virtual interface? ----- Original Message ----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Thu Aug 05 03:39:53 2010 Subject: [Ntop] Ntop 4.0 local vs remote networks in netflow plug-in Hello all, We catch statistics thru netflow from our border gateway, but I don't understand how to ntop\netflow plug-in distinguish local from remote networks. Even if I specify local networks in -m switch, all networks are considered as local. I enabled ADDRESS_DEBUG in global_defines.h and the log shows (I masqueraded our networks to a.a.a.0 and b.b.b.0): Aug 5 08:10:50 dc7800-img ntop[5108]: Address: 59.190.167.225 Aug 5 08:10:50 dc7800-img ntop[5108]: Network: a.a.a.0 Aug 5 08:10:50 dc7800-img ntop[5108]: NetMask: 255.255.255.0 Aug 5 08:10:50 dc7800-img ntop[5108]: DEBUG: 59.190.167.225 comparing [b.b.b.0/255.255.255.0] Aug 5 08:10:50 dc7800-img ntop[5108]: **WARNING** ADDRESS_DEBUG: 59.190.167.225 is NOT pseudolocal Aug 5 08:10:50 dc7800-img ntop[5108]: DEBUG: 59.190.167.225 comparing [a.a.a.0/255.255.255.0] Aug 5 08:10:50 dc7800-img ntop[5108]: **WARNING** ADDRESS_DEBUG: 59.190.167.225 is NOT pseudolocal Aug 5 08:10:50 dc7800-img ntop[5108]: **WARNING** ADDRESS_DEBUG: 59.190.167.225 [deviceId=1] is remote And in the same time http://dc7800-img:3000/59.190.167.225.html? reports that the host is in local: ... Host Location Local (inside specified/local subnet or known network list) ... As result I can't get the correct reports re L->R, L->L traffic. All hosts are local. In the same time if I specify -g (--track-local-hosts), all remote networks are gone and I see hosts in networks specified in -m only. But actually it is not what I want, since the purpose is to have traffic reports between local and remote networks... Am I doing something wrong? Regards, Nickolai _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
