Gerhard, both. Even if I put the filter in a conf file it works:
deri@centos6 203> cat /tmp/test.conf -i=eth0 --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" --community= deri@centos6 204> sudo /usr/local/bin/ntopng /tmp/test.conf 13/Jan/2017 21:00:00 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 13/Jan/2017 21:00:00 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0 13/Jan/2017 21:00:01 [PcapInterface.cpp:85] Reading packets from interface eth0... 13/Jan/2017 21:00:01 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" On Thu, Jan 12, 2017 at 2:08 PM, Gerhard Mourani <gmour...@prival.ca> wrote: > Simone, > > Did you run ntopng with the filter directly from the command line or via > the configuration file? I think the problem happens when the filter is in > the configuration file and you run ntopng to read it in this file. > > Gerhard, > > > On Jan 11, 2017, at 5:13 PM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, > > I've just tried to reproduce on centos6. The filter is working properly. I > also tried to exclude the ntopng host and it works. So the only additional > suggestion I have is to try and update ntopng to the latest stable. > > Regards > > On Tue, Jan 10, 2017 at 10:23 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > >> > The point here is that the filter doesn't contain any clause that >> matches host 10.0.0.39 ... >> Because, I've changed 10.0.0.39 for 192.168.2.227 for the test. >> >> Here the one in prod with 10.0.0.39: >> >> [root@ntpprod ~]# /usr/bin/ntopng -i eth3 --packet-filter="ip and not >> proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 >> or 239.0.0.0/8) and not host 10.0.0.39" >> 10/Jan/2017 16:22:02 [Ntop.cpp:1121] Setting local networks to >> 127.0.0.0/8 >> 10/Jan/2017 16:22:02 [Redis.cpp:92] Successfully connected to redis >> 127.0.0.1:6379@0 >> 10/Jan/2017 16:22:02 [PcapInterface.cpp:85] Reading packets from >> interface eth3... >> 10/Jan/2017 16:22:02 [PcapInterface.cpp:254] Packet capture filter on >> eth3 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >> not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" >> 10/Jan/2017 16:22:02 [Ntop.cpp:1267] Registered interface eth3 [id: 2] >> 10/Jan/2017 16:22:02 [Ntop.cpp:1279] Registered interface view eth3 [id: >> 2] >> 10/Jan/2017 16:22:02 [main.cpp:255] PID stored in file /var/run/ntopng.pid >> 10/Jan/2017 16:22:02 [Utils.cpp:341] User changed to nobody >> 10/Jan/2017 16:22:02 [HTTPserver.cpp:466] Please read >> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to >> enable SSL. >> 10/Jan/2017 16:22:02 [HTTPserver.cpp:509] Web server dirs >> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >> 10/Jan/2017 16:22:02 [HTTPserver.cpp:512] HTTP server listening on port >> 3000 >> 10/Jan/2017 16:22:02 [main.cpp:295] Working directory: /var/tmp/ntopng >> 10/Jan/2017 16:22:02 [main.cpp:297] Scripts/HTML pages directory: >> /usr/share/ntopng >> 10/Jan/2017 16:22:02 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 >> - (C) 1998-2016 ntop.org >> 10/Jan/2017 16:22:02 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >> 10/Jan/2017 16:22:02 [PeriodicActivities.cpp:53] Started periodic >> activities loop... >> 10/Jan/2017 16:22:02 [RuntimePrefs.cpp:34] Dumping alerts into syslog >> 10/Jan/2017 16:22:02 [Ntop.cpp:531] Adding 169.254.0.0/16 as IPv4 local >> network for eth3 >> 10/Jan/2017 16:22:02 [Ntop.cpp:561] Adding fe80::250:56ff:fe90:7661/64 as >> IPv6 local network for eth3 >> 10/Jan/2017 16:22:02 [NetworkInterface.cpp:1538] Started packet polling >> on interface eth3 [id: 2]... >> >> Gerhard, >> >> On Jan 10, 2017, at 4:17 PM, Simone Mainardi <maina...@ntop.org> wrote: >> >> Gerard, >> >> >> On Tue, Jan 10, 2017 at 10:13 PM, Gerhard Mourani <gmour...@prival.ca> >> wrote: >> >>> Simone, >>> >>> Here when launched from command line: >>> >>> [root@ntptest plugins]# /usr/bin/ntopng -i eth0 --packet-filter="ip and >>> not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net ( >>> 224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" >>> >> >> OK, so the filter is properly parsed. I went back through this thread and >> found that you complained that >> >> > "The issue is that even if 10.0.0.39 is filtered to be excluded, it >> appears in the view of top hosts.," >> >> The point here is that the filter doesn't contain any clause that matches >> host 10.0.0.39 ... >> >> >>> 10/Jan/2017 16:10:46 [Ntop.cpp:1121] Setting local networks to >>> 127.0.0.0/8 >>> 10/Jan/2017 16:10:46 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> 10/Jan/2017 16:10:46 [PcapInterface.cpp:85] Reading packets from >>> interface eth0... >>> 10/Jan/2017 16:10:46 [PcapInterface.cpp:254] Packet capture filter on >>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>> not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" >>> 10/Jan/2017 16:10:46 [Ntop.cpp:1267] Registered interface eth0 [id: 0] >>> 10/Jan/2017 16:10:46 [Ntop.cpp:1279] Registered interface view eth0 [id: >>> 0] >>> 10/Jan/2017 16:10:46 [main.cpp:255] PID stored in file >>> /var/run/ntopng.pid >>> 10/Jan/2017 16:10:46 [Utils.cpp:341] User changed to nobody >>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:466] Please read >>> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to >>> enable SSL. >>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:509] Web server dirs >>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:512] HTTP server listening on port >>> 3000 >>> 10/Jan/2017 16:10:46 [main.cpp:295] Working directory: /var/tmp/ntopng >>> 10/Jan/2017 16:10:46 [main.cpp:297] Scripts/HTML pages directory: >>> /usr/share/ntopng >>> 10/Jan/2017 16:10:46 [Ntop.cpp:271] Welcome to ntopng x86_64 >>> v.2.4.161019 - (C) 1998-2016 ntop.org >>> 10/Jan/2017 16:10:46 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>> 10/Jan/2017 16:10:46 [PeriodicActivities.cpp:53] Started periodic >>> activities loop... >>> 10/Jan/2017 16:10:46 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>> 10/Jan/2017 16:10:46 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local >>> network for eth0 >>> 10/Jan/2017 16:10:46 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 >>> as IPv6 local network for eth0 >>> 10/Jan/2017 16:10:46 [NetworkInterface.cpp:1538] Started packet polling >>> on interface eth0 [id: 0]... >>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1058] Invalid packet received >>> [len: 1804][MTU: 1518]. >>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1059] WARNING: If you have >>> TSO/GRO enabled, please disable it >>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1061] WARNING: Use: sudo >>> ethtool -K eth0 gro off gso off tso off >>> >>> Seem that the filter passed but still can see IP 192.168.2.227 on my >>> list! >>> >>> Gerhard, >>> >>> >>> On Jan 10, 2017, at 4:04 PM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, >>> >>> From the logs I can't see anything that confirms ntopng has read/parsed >>> the bpf filter specified. It looks like the filter is ignored. I am not >>> sure those logs contain the full output, though. >>> >>> Can you please run ntopng in foreground and paste the output? Simply >>> call /usr/local/bin/ntopng /etc/ntopng/ntopng.conf >>> >>> Regards, >>> Simone >>> >>> On Mon, Jan 9, 2017 at 8:46 PM, Gerhard Mourani <gmour...@prival.ca> w >>> rote: >>> Configuration: >>> --interface tcp://127.0.0.1:5556 >>> --packet-filter "ip and not proto ipv6 and not ether host >>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host >>> 10.0.0.39" >>> --local-networks 10.0.0.0/24,192.168.2.0/24 >>> --daemon >>> --user ntopng >>> --pid /var/run/ntopng/ntopng.pid >>> --http-port 0 >>> --https-port 3001 >>> --data-dir /var/lib/nst/ntopng >>> --dns-mode 1 >>> --disable-autologout >>> --disable-login 0 >>> --sticky-hosts none >>> --http-prefix /ntopng >>> --ndpi-protocols /etc/ntopng/protos.txt >>> >>> Log file: >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1121] Setting local networks to >>> 10.0.0.0/24,192.168.2.0/24 >>> 09/Jan/2017 14:43:49 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1095] Parent process is exiting (this is >>> normal) >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1267] Registered interface tcp:// >>> 127.0.0.1:5556 [id: 1] >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1279] Registered interface view tcp:// >>> 127.0.0.1:5556 [id: 1] >>> 09/Jan/2017 14:43:49 [main.cpp:255] PID stored in file >>> /var/run/ntopng/ntopng.pid >>> 09/Jan/2017 14:43:49 [Utils.cpp:341] User changed to ntopng >>> 09/Jan/2017 14:43:49 [HTTPserver.cpp:509] Web server dirs >>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>> 09/Jan/2017 14:43:49 [HTTPserver.cpp:515] HTTPS server listening on port >>> 3001 >>> 09/Jan/2017 14:43:49 [main.cpp:295] Working directory: >>> /var/lib/nst/ntopng >>> 09/Jan/2017 14:43:49 [main.cpp:297] Scripts/HTML pages directory: >>> /usr/share/ntopng >>> 09/Jan/2017 14:43:49 [Ntop.cpp:271] Welcome to ntopng x86_64 >>> v.2.4.161013 - (C) 1998-2016 ntop.org >>> 09/Jan/2017 14:43:49 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>> 09/Jan/2017 14:43:49 [PeriodicActivities.cpp:53] Started periodic >>> activities loop... >>> 09/Jan/2017 14:43:49 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>> 09/Jan/2017 14:43:49 [NetworkInterface.cpp:1538] Started packet polling >>> on interface tcp://127.0.0.1:5556 [id: 1]... >>> 09/Jan/2017 14:43:50 [CollectorInterface.cpp:104] Collecting flows >>> on tcp://127.0.0.1:5556 [ntopng->nprobe] >>> >>> Gerhard, >>> >>> On Jan 9, 2017, at 11:26 AM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, please attach the configuration used and the full ntopng >>> console output (or log file). >>> >>> On Mon, Jan 9, 2017 at 2:24 PM, Gerhard Mourani <gmour...@prival.ca >>> > wrote: >>> Simone, >>> >>> The issue is that even if 10.0.0.39 is filtered to be excluded, it >>> appears in the view of top hosts. Also, the IP 0.0.0.0 appaers and I don't >>> have any idea about what it is? >>> >>> >>> >>> GERHARD MOURANI | Spécialiste Telecom – Concepteur Logiciel >>> 450 761-9973 p634 | gmour...@prival.ca >>> 9935, rue de Châteauneuf, bureau 120, Brossard, Québec, J4Z 3V4 >>> Québec 418 907-8356 | Ottawa 613 689-1539 | Toronto 416 645-5626 >>> facebook.com/Prival-230867980323343 >>> linkedin.com/company/prival >>> >>> >>> >>> On Jan 8, 2017, at 5:36 AM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, >>> >>> The filter is correct and properly parsed by ntopng. So what is the >>> issue you are experiencing? >>> >>> Simone >>> >>> On Thu, Jan 5, 2017 at 7:58 PM, Gerhard Mourani <gmour...@prival.ca >>> > wrote: >>> This doesn't work for me, I'm using the following parameters to exclude >>> 10.0.0.39 which is my ntopng server IP: >>> --packet-filter "ip and not proto ipv6 and not ether host >>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host >>> 10.0.0.39" >>> >>> Gerhard, >>> >>> On Jan 5, 2017, at 12:09 PM, brett.sti...@cargocarriers.co.zw wrote: >>> >>> Thank you Simone. >>> >>> I will try that tomorrow morning. >>> >>> Much appreciated. >>> >>> >>> >>> On January 5, 2017 6:40:25 PM GMT+02:00, Simone Mainardi < >>> maina...@ntop.org> wrote: >>> >>> Brett, the filter is not complete. If you want to exclude 10.0.50.246 >>> set: >>> >>> --packet-filter="not host 10.0.50.246" >>> >>> If you look at the ntopng output you will see if the filter is parsed >>> correctly. >>> >>> >>> >>> >>> On Thu, Jan 5, 2017 at 4:05 PM, Brett Stiell (CCIH) < >>> brett.sti...@cargocarriers.co.zw> wrote: >>> >>> Hi there. >>> >>> >>> >>> Thanks for getting back to me >>> >>> >>> >>> This is the contents of my ntopng.start file:- >>> >>> >>> >>> -G=/var/run/ntopng.pid >>> >>> --daemon= >>> >>> --local-networks="10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" >>> >>> --packet-filter 10.0.50.246 >>> >>> -m "10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" >>> >>> --track-local-hosts >>> >>> >>> >>> Regards, >>> >>> >>> >>> Brett >>> >>> >>> >>> *From:* Simone Mainardi [mailto:maina...@ntop.org] >>> *Sent:* Thursday, January 05, 2017 3:26 PM >>> *To:* n...@unipi.it >>> *Cc:* ntop mailing list >>> *Subject:* Re: [Ntop] Excluding hosts or a subnet from being >>> >>> monitored >>> >>> >>> >>> >>> Hi, >>> >>> >>> >>> --packet-filter is the proper way to do that. Can you please report >>> >>> the >>> >>> exact filter you specified? Also check (and paste) ntopng output. >>> >>> ntopng >>> >>> prints a confirmation message if it has successfully parsed the >>> >>> filter. >>> >>> >>> >>> >>> Regards >>> >>> Simone >>> >>> >>> >>> On Thu, Jan 5, 2017 at 11:14 AM, Brett Stiell (CCIH) < >>> brett.sti...@cargocarriers.co.zw> wrote: >>> >>> Hi. >>> >>> >>> >>> Is there any way to exclude a subnet or a range of hosts from being >>> monitored and appearing on the dashboard etc. >>> >>> >>> >>> Our servers are in a specific IP range and I am not interested in >>> receiving their usage data. >>> >>> >>> >>> I tried –B and –packet-filter and “not” but they don’t seem to work. >>> >>> >>> >>> Thanks >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> Ntop@listgateway.unipi.it >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> -- >>> Sent from my Android device with Email Mail. Please excuse my >>> brevity._______________________________________________ >>> Ntop mailing list >>> Ntop@listgateway.unipi.it >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> > >
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
