Thanks for the help! This is now working as expected.
I had to remove the quotes around the filter in the config file.
-B=ip and not multicast and not (src net 10.100.253.0/24 and dst
net 10.100.253.0/24)
09/Jan/2014 08:22:06 [PcapInterface.cpp:142] Packet capture filter set
to "ip and not multicast and not (src net 10.100.253.0/24 and dst net
10.100.253.0/24)"
Thanks again!
Joe
On Thu, Jan 9, 2014 at 1:57 AM, Filippo Fontanelli <[email protected]> wrote:
> Joe,
>
> The problem is in the configuration file and not in ntopng.
>
> Remember that the configuration file is similar to the command line, with
> the exception that an equal sign '=' must be used between key and value.
> Example: -i=p1 or --interface=p1.
>
> Please try with the following configuration:
>
> -U=ntop
> -i=eth0
> --daemon
> -w=3000
> --data-dir=/etc/ntopng/data
> --httpdocs-dir=/usr/local/share/ntopng/httpdocs
> --scripts-dir=/usr/local/share/ntopng/scripts
> --callbacks-dir=/usr/local/share/ntopng/scripts/callbacks
> --redis=localhost:6379
> -G=/var/run/ntopng/ntopng.pid
> -m="10.100.253.0/24"
> -B="ip and not multicast and not (src net 10.100.253.0/24 and dst net
> 10.100.253.0/24)”
>
> You can check the ntopng fields by reading the ntopng trace as follow:
>
> ./ntopng ntopng.conf
> 09/Jan/2014 08:42:59 [Ntop.cpp:468] Setting local networks to 192.168.1.0/24
> 09/Jan/2014 08:42:59 [PcapInterface.cpp:54] Reading packets from interface
> en1...
> 09/Jan/2014 08:42:59 [PcapInterface.cpp:142] Packet capture filter set to
> "ip and not multicast and not (src net 192.168.1.0/24 and dst net
> 192.168.1.0/24)"
>
> Best regards,
> Filippo
>
> On 09 Jan 2014, at 01:14, Joe Rizzo <[email protected]> wrote:
>
> I complied ntopng version1.1.1 (r7155) and the issue persists.
>
> Is this an artifact of being on 32bit linux?
>
> Thanks,
> Joe
>
> On Wed, Jan 8, 2014 at 2:47 PM, Filippo Fontanelli <[email protected]>
> wrote:
>
> Joe,
>
> We fixed the issue, try using the latest ntopng code in SVN.
>
> Best regards,
> Filippo
>
> On 08 Jan 2014, at 16:15, Joe Rizzo <[email protected]> wrote:
>
> Thanks for the response.
>
> I just compiled version v.1.1.1 (r7153). I believe I am using pcap.
> I installed by svn checkout, configure, make, make install.
> The OS is Ubuntu 12.04.3 LTS x86 (32bit).
>
> Here is my config file:
> # egrep -v '^#|^$' /etc/ntopng/ntopng.conf
> -U ntop
> --daemon
> -w 3000
> --data-dir /etc/ntopng/data
> --httpdocs-dir /usr/local/share/ntopng/httpdocs
> --scripts-dir /usr/local/share/ntopng/scripts
> --callbacks-dir /usr/local/share/ntopng/scripts/callbacks
> --redis localhost:6379
> -i eth0
> -G=/var/run/ntopng/ntopng.pid
> -m "10.100.253.0/24"
> -B "ip and not multicast and not (src net 10.100.253.0/24 and dst net
> 10.100.253.0/24)"
>
> Despite specifying the filter, I see traffic between hosts on network
> 10.100.253.0/24 and multicast in the ntopng web interface.
>
> The goal is to only have ntopng report on external connections.
>
> Thanks,
> Joe
>
> On Wed, Jan 8, 2014 at 5:30 AM, Filippo Fontanelli <[email protected]>
> wrote:
>
> Joe
>
> I tested your BPF filter and it works as expected for me using the latest
> ntopng code in SVN.
>
> Please check your ntopng backend, are you using pf_ring or pcap?
>
> Can you provide more information about your issue?
>
> Best regards,
> Filippo
>
> On 07 Jan 2014, at 20:39, Joe Rizzo <[email protected]> wrote:
>
> Hi -
> I am running ntopng (i686 v.1.1.1 (r7147)). I want to apply the
> following filter however it has no effect on ntopng reporting.
>
> -B "ip and not multicast and not (src net 10.100.253.0/24 and dst
> net 10.100.253.0/24)"
>
> This filter works as expected with tcpdump.
>
> What am I missing?
>
> Thanks,
> Joe
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
>
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
