Gerhard, On Fri, Jan 13, 2017 at 9:25 PM, Gerhard Mourani <gmour...@prival.ca> wrote:
> Simone, > > I found the problem: If you dont use the = sign on the filter parameter > line, it doesn't see it. > > Doesn't work -> --packet-filter "ip and not proto ipv6 and not ether host > ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host > 192.168.2.227" > > Work -> --packet-filter="ip and not proto ipv6 and not ether host > ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host > 192.168.2.227" > That is true, I have made a fix. The point is that when the filter is not seen, *ntopng doesn't say anything from the command line*. Nevertheless, in all your emails, you were sending us logs with ntopng showing "Packet capture filter set on ..." so it was not possible to figure out the cause of the issue. I don't know which logs you were sending but for sure they were not consistent with the claimed behavior. Next time please make sure to post logs that are actually representative. > > Also, if I've eth0 and tcp://127.0.0.1:5556 as my NIC, > BPF is not supported for collector interfaces. If you want to use it then specify it on the nProbe. > it doesn't work, here the output: > > /usr/bin/ntopng /etc/ntopng/ntopng.conf > 13/Jan/2017 15:20:15 [Prefs.cpp:715] Localhost HTTP user login disabled > 13/Jan/2017 15:20:15 [Ntop.cpp:1121] Setting local networks to > 192.168.2.0/24 > 13/Jan/2017 15:20:15 [Redis.cpp:92] Successfully connected to redis > 127.0.0.1:6379@0 > [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it > with new value > [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it > with new value > 13/Jan/2017 15:20:15 [PcapInterface.cpp:85] Reading packets from interface > eth0... > 13/Jan/2017 15:20:15 [PcapInterface.cpp:254] *Packet capture filter on > eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and > not net (224.0.0.0/8 <http://224.0.0.0/8> or 239.0.0.0/8 > <http://239.0.0.0/8>) and not host 192.168.2.227"* > 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface eth0 [id: 0] > [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it > with new value > [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it > with new value > 13/Jan/2017 15:20:15 [CollectorInterface.cpp:226] *ERROR: No filter can > be set on a collector interface. Ignored ip and not proto ipv6 and not > ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 <http://224.0.0.0/8> > or 239.0.0.0/8 <http://239.0.0.0/8>) and not host 192.168.2.227* > 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface tcp:// > 127.0.0.1:5556 [id: 1] > 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view eth0 [id: 0] > 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view tcp:// > 127.0.0.1:5556 [id: 1] > 13/Jan/2017 15:20:15 [main.cpp:255] PID stored in file > /var/run/ntopng/ntopng.pid > 13/Jan/2017 15:20:15 [Utils.cpp:341] User changed to ntopng > 13/Jan/2017 15:20:15 [HTTPserver.cpp:509] Web server dirs > [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] > 13/Jan/2017 15:20:15 [HTTPserver.cpp:515] HTTPS server listening on port > 3001 > 13/Jan/2017 15:20:15 [main.cpp:295] Working directory: /var/lib/nst/ntopng > 13/Jan/2017 15:20:15 [main.cpp:297] Scripts/HTML pages directory: > /usr/share/ntopng > 13/Jan/2017 15:20:15 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161019 > - (C) 1998-2016 ntop.org > 13/Jan/2017 15:20:15 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) > 13/Jan/2017 15:20:15 [PeriodicActivities.cpp:53] Started periodic > activities loop... > 13/Jan/2017 15:20:15 [RuntimePrefs.cpp:34] Dumping alerts into syslog > 13/Jan/2017 15:20:15 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local > network for eth0 > 13/Jan/2017 15:20:15 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 as > IPv6 local network for eth0 > 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling on > interface eth0 [id: 0]... > 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling on > interface tcp://127.0.0.1:5556 [id: 1]... > 13/Jan/2017 15:20:15 [CollectorInterface.cpp:104] Collecting flows on > tcp://127.0.0.1:5556 [ntopng->nprobe] > 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1058] Invalid packet received > [len: 2934][MTU: 1518]. > 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1059] WARNING: If you have > TSO/GRO enabled, please disable it > 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1061] WARNING: Use: sudo > ethtool -K eth0 gro off gso off tso off > 13/Jan/2017 15:21:05 [main.cpp:37] Shutting down... > 13/Jan/2017 15:21:05 [Redis.cpp:60] Redis has disconnected: reconnecting... > Killed > > Gerhard, > > On Jan 13, 2017, at 3:00 PM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, both. > > Even if I put the filter in a conf file it works: > > deri@centos6 203> cat /tmp/test.conf > -i=eth0 > --packet-filter="ip and not proto ipv6 and not ether host > ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host > 192.168.2.109" > --community= > > deri@centos6 204> sudo /usr/local/bin/ntopng /tmp/test.conf > 13/Jan/2017 21:00:00 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 > 13/Jan/2017 21:00:00 [Redis.cpp:92] Successfully connected to redis > 127.0.0.1:6379@0 > 13/Jan/2017 21:00:01 [PcapInterface.cpp:85] Reading packets from interface > eth0... > 13/Jan/2017 21:00:01 [PcapInterface.cpp:254] Packet capture filter on eth0 > set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not > net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" > > > > > On Thu, Jan 12, 2017 at 2:08 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > Simone, > > Did you run ntopng with the filter directly from the command line or via > the configuration file? I think the problem happens when the filter is in > the configuration file and you run ntopng to read it in this file. > > Gerhard, > > > On Jan 11, 2017, at 5:13 PM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, > > I've just tried to reproduce on centos6. The filter is working properly. I > also tried to exclude the ntopng host and it works. So the only > additional suggestion I have is to try and update ntopng to the latest > stable. > > Regards > > On Tue, Jan 10, 2017 at 10:23 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > > The point here is that the filter doesn't contain any clause that > matches host 10.0.0.39 ... > Because, I've changed 10.0.0.39 for 192.168.2.227 for the test. > > Here the one in prod with 10.0.0.39: > > [root@ntpprod ~]# /usr/bin/ntopng -i eth3 --packet-filter="ip and not > proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 > or 239.0.0.0/8) and not host 10.0.0.39" > 10/Jan/2017 16:22:02 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 > 10/Jan/2017 16:22:02 [Redis.cpp:92] Successfully connected to redis > 127.0.0.1:6379@0 > 10/Jan/2017 16:22:02 [PcapInterface.cpp:85] Reading packets from interface > eth3... > 10/Jan/2017 16:22:02 [PcapInterface.cpp:254] Packet capture filter on eth3 > set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and > not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" > 10/Jan/2017 16:22:02 [Ntop.cpp:1267] Registered interface eth3 [id: 2] > 10/Jan/2017 16:22:02 [Ntop.cpp:1279] Registered interface view eth3 [id: 2] > 10/Jan/2017 16:22:02 [main.cpp:255] PID stored in file /var/run/ntopng.pid > 10/Jan/2017 16:22:02 [Utils.cpp:341] User changed to nobody > 10/Jan/2017 16:22:02 [HTTPserver.cpp:466] Please read > https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to > enable SSL. > 10/Jan/2017 16:22:02 [HTTPserver.cpp:509] Web server dirs > [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] > 10/Jan/2017 16:22:02 [HTTPserver.cpp:512] HTTP server listening on port > 3000 > 10/Jan/2017 16:22:02 [main.cpp:295] Working directory: /var/tmp/ntopng > 10/Jan/2017 16:22:02 [main.cpp:297] Scripts/HTML pages directory: > /usr/share/ntopng > 10/Jan/2017 16:22:02 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 > - (C) 1998-2016 ntop.org > 10/Jan/2017 16:22:02 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) > 10/Jan/2017 16:22:02 [PeriodicActivities.cpp:53] Started periodic > activities loop... > 10/Jan/2017 16:22:02 [RuntimePrefs.cpp:34] Dumping alerts into syslog > 10/Jan/2017 16:22:02 [Ntop.cpp:531] Adding 169.254.0.0/16 as IPv4 local > network for eth3 > 10/Jan/2017 16:22:02 [Ntop.cpp:561] Adding fe80::250:56ff:fe90:7661/64 as > IPv6 local network for eth3 > 10/Jan/2017 16:22:02 [NetworkInterface.cpp:1538] Started packet polling on > interface eth3 [id: 2]... > > Gerhard, > > On Jan 10, 2017, at 4:17 PM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerard, > > > On Tue, Jan 10, 2017 at 10:13 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > Simone, > > Here when launched from command line: > > [root@ntptest plugins]# /usr/bin/ntopng -i eth0 --packet-filter="ip and > not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net ( > 224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" > > OK, so the filter is properly parsed. I went back through this thread and > found that you complained that > > > "The issue is that even if 10.0.0.39 is filtered to be excluded, it > appears in the view of top hosts.," > > The point here is that the filter doesn't contain any clause that matches > host 10.0.0.39 ... > > 10/Jan/2017 16:10:46 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 > 10/Jan/2017 16:10:46 [Redis.cpp:92] Successfully connected to redis > 127.0.0.1:6379@0 > 10/Jan/2017 16:10:46 [PcapInterface.cpp:85] Reading packets from interface > eth0... > 10/Jan/2017 16:10:46 [PcapInterface.cpp:254] Packet capture filter on eth0 > set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not > net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" > 10/Jan/2017 16:10:46 [Ntop.cpp:1267] Registered interface eth0 [id: 0] > 10/Jan/2017 16:10:46 [Ntop.cpp:1279] Registered interface view eth0 [id: 0] > 10/Jan/2017 16:10:46 [main.cpp:255] PID stored in file /var/run/ntopng.pid > 10/Jan/2017 16:10:46 [Utils.cpp:341] User changed to nobody > 10/Jan/2017 16:10:46 [HTTPserver.cpp:466] Please read > https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to > enable SSL. > 10/Jan/2017 16:10:46 [HTTPserver.cpp:509] Web server dirs > [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] > 10/Jan/2017 16:10:46 [HTTPserver.cpp:512] HTTP server listening on port > 3000 > 10/Jan/2017 16:10:46 [main.cpp:295] Working directory: /var/tmp/ntopng > 10/Jan/2017 16:10:46 [main.cpp:297] Scripts/HTML pages directory: > /usr/share/ntopng > 10/Jan/2017 16:10:46 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161019 > - (C) 1998-2016 ntop.org > 10/Jan/2017 16:10:46 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) > 10/Jan/2017 16:10:46 [PeriodicActivities.cpp:53] Started periodic > activities loop... > 10/Jan/2017 16:10:46 [RuntimePrefs.cpp:34] Dumping alerts into syslog > 10/Jan/2017 16:10:46 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local > network for eth0 > 10/Jan/2017 16:10:46 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 as > IPv6 local network for eth0 > 10/Jan/2017 16:10:46 [NetworkInterface.cpp:1538] Started packet polling on > interface eth0 [id: 0]... > 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1058] Invalid packet received > [len: 1804][MTU: 1518]. > 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1059] WARNING: If you have > TSO/GRO enabled, please disable it > 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1061] WARNING: Use: sudo > ethtool -K eth0 gro off gso off tso off > > Seem that the filter passed but still can see IP 192.168.2.227 on my list! > > Gerhard, > > > On Jan 10, 2017, at 4:04 PM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, > > From the logs I can't see anything that confirms ntopng has read/parsed > the bpf filter specified. It looks like the filter is ignored. I am > not sure those logs contain the full output, though. > > Can you please run ntopng in foreground and paste the output? Simply call > /usr/local/bin/ntopng /etc/ntopng/ntopng.conf > > Regards, > Simone > > On Mon, Jan 9, 2017 at 8:46 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > Configuration: > --interface tcp://127.0.0.1:5556 > --packet-filter "ip and not proto ipv6 and not ether host > ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host > 10.0.0.39" > --local-networks 10.0.0.0/24,192.168.2.0/24 > --daemon > --user ntopng > --pid /var/run/ntopng/ntopng.pid > --http-port 0 > --https-port 3001 > --data-dir /var/lib/nst/ntopng > --dns-mode 1 > --disable-autologout > --disable-login 0 > --sticky-hosts none > --http-prefix /ntopng > --ndpi-protocols /etc/ntopng/protos.txt > > Log file: > 09/Jan/2017 14:43:49 [Ntop.cpp:1121] Setting local networks to > 10.0.0.0/24,192.168.2.0/24 > 09/Jan/2017 14:43:49 [Redis.cpp:92] Successfully connected to redis > 127.0.0.1:6379@0 > 09/Jan/2017 14:43:49 [Ntop.cpp:1095] Parent process is exiting (this is > normal) > 09/Jan/2017 14:43:49 [Ntop.cpp:1267] Registered interface tcp:// > 127.0.0.1:5556 [id: 1] > 09/Jan/2017 14:43:49 [Ntop.cpp:1279] Registered interface view tcp:// > 127.0.0.1:5556 [id: 1] > 09/Jan/2017 14:43:49 [main.cpp:255] PID stored in file > /var/run/ntopng/ntopng.pid > 09/Jan/2017 14:43:49 [Utils.cpp:341] User changed to ntopng > 09/Jan/2017 14:43:49 [HTTPserver.cpp:509] Web server dirs > [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] > 09/Jan/2017 14:43:49 [HTTPserver.cpp:515] HTTPS server listening on port > 3001 > 09/Jan/2017 14:43:49 [main.cpp:295] Working directory: /var/lib/nst/ntopng > 09/Jan/2017 14:43:49 [main.cpp:297] Scripts/HTML pages directory: > /usr/share/ntopng > 09/Jan/2017 14:43:49 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 > - (C) 1998-2016 ntop.org > 09/Jan/2017 14:43:49 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) > 09/Jan/2017 14:43:49 [PeriodicActivities.cpp:53] Started periodic > activities loop... > 09/Jan/2017 14:43:49 [RuntimePrefs.cpp:34] Dumping alerts into syslog > 09/Jan/2017 14:43:49 [NetworkInterface.cpp:1538] Started packet polling on > interface tcp://127.0.0.1:5556 [id: 1]... > 09/Jan/2017 14:43:50 [CollectorInterface.cpp:104] Collecting flows on > tcp://127.0.0.1:5556 [ntopng->nprobe] > > Gerhard, > > On Jan 9, 2017, at 11:26 AM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, please attach the configuration used and the full ntopng console > output (or log file). > > On Mon, Jan 9, 2017 at 2:24 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > Simone, > > The issue is that even if 10.0.0.39 is filtered to be excluded, it appears > in the view of top hosts. Also, the IP 0.0.0.0 appaers and I don't have any > idea about what it is? > > > > GERHARD MOURANI | Spécialiste Telecom – Concepteur Logiciel > 450 761-9973 p634 | gmour...@prival.ca > 9935, rue de Châteauneuf, bureau 120, Brossard, Québec, J4Z 3V4 > Québec 418 907-8356 | Ottawa 613 689-1539 | Toronto 416 645-5626 > facebook.com/Prival-230867980323343 > linkedin.com/company/prival > > > > On Jan 8, 2017, at 5:36 AM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, > > The filter is correct and properly parsed by ntopng. So what is the issue > you are experiencing? > > Simone > > On Thu, Jan 5, 2017 at 7:58 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > This doesn't work for me, I'm using the following parameters to exclude > 10.0.0.39 which is my ntopng server IP: > --packet-filter "ip and not proto ipv6 and not ether host > ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host > 10.0.0.39" > > Gerhard, > > On Jan 5, 2017, at 12:09 PM, brett.sti...@cargocarriers.co.zw wrote: > > Thank you Simone. > > I will try that tomorrow morning. > > Much appreciated. > > > > On January 5, 2017 6:40:25 PM GMT+02:00, Simone Mainardi < > maina...@ntop.org> wrote: > > Brett, the filter is not complete. If you want to exclude 10.0.50.246 > set: > > --packet-filter="not host 10.0.50.246" > > If you look at the ntopng output you will see if the filter is parsed > correctly. > > > > > On Thu, Jan 5, 2017 at 4:05 PM, Brett Stiell (CCIH) < > brett.sti...@cargocarriers.co.zw> wrote: > > Hi there. > > > > Thanks for getting back to me > > > > This is the contents of my ntopng.start file:- > > > > -G=/var/run/ntopng.pid > > --daemon= > > --local-networks="10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" > > --packet-filter 10.0.50.246 > > -m "10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" > > --track-local-hosts > > > > Regards, > > > > Brett > > > > *From:* Simone Mainardi [mailto:maina...@ntop.org] > *Sent:* Thursday, January 05, 2017 3:26 PM > *To:* n...@unipi.it > *Cc:* ntop mailing list > *Subject:* Re: [Ntop] Excluding hosts or a subnet from being > > monitored > > > > > Hi, > > > > --packet-filter is the proper way to do that. Can you please report > > the > > exact filter you specified? Also check (and paste) ntopng output. > > ntopng > > prints a confirmation message if it has successfully parsed the > > filter. > > > > > Regards > > Simone > > > > On Thu, Jan 5, 2017 at 11:14 AM, Brett Stiell (CCIH) < > brett.sti...@cargocarriers.co.zw> wrote: > > Hi. > > > > Is there any way to exclude a subnet or a range of hosts from being > monitored and appearing on the dashboard etc. > > > > Our servers are in a specific IP range and I am not interested in > receiving their usage data. > > > > I tried –B and –packet-filter and “not” but they don’t seem to work. > > > > Thanks > > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > -- > Sent from my Android device with Email Mail. Please excuse my > brevity._______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop > > > > > > > > > > > > > > >
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop