Michael, First make sure you are on the latest version of Ntop - I didn't experience it myself but there was a report back in March of HTTPS traffic being classified as mail_POP. Looks like you're fairly current, but I'm not sure when that creeped up or when exactly it was fixed.
Otherwise, you should have all the tools you need to figure out what's generating this traffic. I would start by just going under Summary > Traffic and clicking on the service in question to see who's been using it. There are other places in the interface where you can get at this information or you could also do a TCPDUMP and grep for the POP ports (110 and also 995 for secure POP I believe). Chris ____________________________________ Chris Moore Senior Network Engineer Front Porch Digital, Inc On 8/13/12 5:35 AM, "Michael Stummvoll" <[email protected]> wrote: >Hi there ntop folks, > >the most throughput according my ntop-webadmin comes via Mail_POP. > >Thats a bit confusing for me, cause i doesn't have an pop3 server (smtp >and imap only). Also there isn't anything listening on tcp port 110 nor >995. > >So there must be any other traffic, which is handled as Mail_POP by >ntop. How can figur out which traffic this is? > >I am using ntop from the debian repository. >Fingerprint on the websites is: >"(Generated by ntop v.4.99.3 (64 bit) [x86_64-2.6.37-2-amd64-linux-gnu])" > >Kind Regards, >Michael _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
